GitHub Advisory DatabaseGHSA-QMHJ-M29V-GVMRBots using py-cord as Discord API wrapper are vulnerable to shutdowns through remote code execution
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
EPSS
Percentile
32.8%
Impact
py-cord is a an API wrapper for Discord written in Python. Bots using py-cord version 2.0.0 are vulnerable to remote shutdown if they are added to the server with the application.commands scope without the bot scope. Currently, it appears that all public bots that use slash commands are affected.
Patches
This issue has been patched in version 2.0.1.
Workarounds
There are currently no recommended workarounds - please upgrade to a patched version.
References
https://github.com/Pycord-Development/pycord/pull/1568
For more information
If you have any questions or comments about this advisory:
- Open an issue in our GitHub
- Email us at [email protected]
Affected configurations
Related
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
EPSS
Percentile
32.8%