8.1
CVE-2021-21431
- EPSS 1.07%
- Veröffentlicht 09.04.2021 16:15:11
- Zuletzt bearbeitet 21.11.2024 05:48:20
- Quelle security-advisories@github.com
- CVE-Watchlists
- Unerledigt
LoginImproper Input Validation in sopel-plugins.channelmgnt
sopel-channelmgnt is a channelmgnt plugin for sopel. In versions prior to 2.0.1, on some IRC servers, restrictions around the removal of the bot using the kick/kickban command could be bypassed when kicking multiple users at once. We also believe it may have been possible to remove users from other channels but due to the wonder that is IRC and following RfCs, We have no POC for that. Freenode is not affected. This is fixed in version 2.0.1. As a workaround, do not use this plugin on networks where TARGMAX > 1.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
Mirahezebots ≫ Channelmgnt SwPlatformsopel Version < 2.0.1
| Typ | Quelle | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 1.07% | 0.605 |
| Quelle | Base Score | Exploit Score | Impact Score | Vector String |
|---|---|---|---|---|
| nvd@nist.gov | 8.1 | 1.7 | 5.8 |
CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:N/I:H/A:H
|
| nvd@nist.gov | 5.5 | 8 | 4.9 |
AV:N/AC:L/Au:S/C:N/I:P/A:P
|
| security-advisories@github.com | 7.6 | 1.2 | 5.8 |
CVSS:3.1/AV:A/AC:L/PR:H/UI:R/S:C/C:N/I:H/A:H
|
CWE-20 Improper Input Validation
The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.
CWE-284 Improper Access Control
The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor.
https://pypi.org/project/sopel-plugins.channelmgnt/
https://github.com/MirahezeBots/sopel-channelmgnt/commit/7c96d400358221e59135f0a0be0744f3fad73856
https://github.com/MirahezeBots/sopel-channelmgnt/security/advisories/GHSA-23c7-6444-399m