6.5

CVE-2024-21624

nonebot2 is a cross-platform Python asynchronous chatbot framework written in Python. This security advisory pertains to a potential information leak (e.g., environment variables) in instances where developers utilize `MessageTemplate` and incorporate user-provided data into templates. The identified vulnerability has been remedied in pull request #2509 and will be included in versions released from 2.2.0. Users are strongly advised to upgrade to these patched versions to safeguard against the vulnerability. A temporary workaround involves filtering underscores before incorporating user input into the message template.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
NonebotNonebot Version >= 2.0.1 < 2.2.0
NonebotNonebot Version2.0.0 Update-
NonebotNonebot Version2.0.0 Updatealpha16
NonebotNonebot Version2.0.0 Updatebeta1
NonebotNonebot Version2.0.0 Updatebeta2
NonebotNonebot Version2.0.0 Updatebeta3
NonebotNonebot Version2.0.0 Updatebeta4
NonebotNonebot Version2.0.0 Updatebeta5
NonebotNonebot Version2.0.0 Updaterc1
NonebotNonebot Version2.0.0 Updaterc2
NonebotNonebot Version2.0.0 Updaterc3
NonebotNonebot Version2.0.0 Updaterc4
Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 0.26% 0.494
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
nvd@nist.gov 6.5 2.8 3.6
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
security-advisories@github.com 5.7 2.1 3.6
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N
CWE-200 Exposure of Sensitive Information to an Unauthorized Actor

The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.