Lucene search

GitHub_MCVELIST:CVE-2024-45307

HistorySep 03, 2024 - 7:01 p.m.

CVE-2024-45307 SudoBot missing authorization check in `-config` command

2024-09-0319:01:11

CWE-285

CWE-862

GitHub_M

www.cve.org

sudobot

discord

privilege escalation

exploit

-config command

authorization check

version 9.26.7

manageguild permission

sql statement

CVSS3

8.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:H

EPSS

0.001

Percentile

39.7%

JSON

SudoBot, a Discord moderation bot, is vulnerable to privilege escalation and exploit of the -config command in versions prior to 9.26.7. Anyone is theoretically able to update any configuration of the bot and potentially gain control over the bot’s settings. Every version of v9 before v9.26.7 is affected. Other versions (e.g. v8) are not affected. Users should upgrade to version 9.26.7 to receive a patch. A workaround would be to create a command permission overwrite in the Database. A SQL statement provided in the GitHub Security Advisor can be executed to create a overwrite that disallows users without ManageGuild permission to run the -config command. Run the SQL statement for every server the bot is in, and replace <guild_id> with the appropriate Guild ID each time.

CNA Affected

[
  {
    "vendor": "onesoft-sudo",
    "product": "sudobot",
    "versions": [
      {
        "version": ">= 9.0.0, < 9.26.7",
        "status": "affected"
      }
    ]
  }
]

References

github.com/onesoft-sudo/sudobot/commit/ef46ca98562f3c1abef4ff7dd94d8f7b8155ee50

github.com/onesoft-sudo/sudobot/security/advisories/GHSA-crgg-w3rr-r9h4