CVE-2020-5302 - Vulnerability Details - OpenCVE

MH-WikiBot (an IRC Bot for interacting with the Miraheze API), had a bug that allowed any unprivileged user to access the steward commands on the IRC interface by impersonating the Nickname used by a privileged user as no check was made to see if they were logged in. The issue has been fixed in commit 23d9d5b0a59667a5d6816fdabb960b537a5f9ed1.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Changed

Confidentiality Impact High

Integrity Impact Low

Availability Impact None

User Interaction Required

No CVSS v3.0

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact None

This CVE is not in the KEV list.

The EPSS score is 0.00245.

Key SSVC decision points have not yet been added.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

examknow

MH-WikiBot

affected

Version	Status	Constraints
`< commit 23d9d5b0a59667a5d6816fdabb960b537a5f9ed1`	affected	—

Configuration 1 [-]

cpe:2.3:a:mh-wikibot_project:mh-wikibot:*:*:*:*:*:*:*:*

No data.

No data.

Subscriptions

Vendors	Products
Mh-wikibot Project Subscribe	Mh-wikibot Subscribe

Tracking

Sign in to view the affected projects.

Advisories

Source	ID	Title
EUVD	EUVD-2020-26489	MH-WikiBot (an IRC Bot for interacting with the Miraheze API), had a bug that allowed any unprivileged user to access the steward commands on the IRC interface by impersonating the Nickname used by a privileged user as no check was made to see if they were logged in. The issue has been fixed in commit 23d9d5b0a59667a5d6816fdabb960b537a5f9ed1.

Fixes

Solution

No solution given by the vendor.

Workaround

No workaround given by the vendor.

References

Link	Providers
https://github.com/examknow/MH-WikiBot/compare/2eac90d...1a62da1
https://github.com/examknow/MH-WikiBot/security/advisories/GHSA-7hf3-wvp8-34r9

History

No history.

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2020-04-07T15:40:14.000Z

Updated: 2024-08-04T08:22:09.088Z

Reserved: 2020-01-02T00:00:00.000Z

Link: CVE-2020-5302

Vulnrichment

No data.

NVD

Status : Modified

Published: 2020-04-07T16:15:18.557

Modified: 2024-11-21T05:33:52.187

Link: CVE-2020-5302

Redhat

No data.

OpenCVE Enrichment

No data.

Weaknesses

{"containers": {"cna": {"affected": [{"product": "MH-WikiBot", "vendor": "examknow", "versions": [{"status": "affected", "version": "< commit 23d9d5b0a59667a5d6816fdabb960b537a5f9ed1"}]}], "descriptions": [{"lang": "en", "value": "MH-WikiBot (an IRC Bot for interacting with the Miraheze API), had a bug that allowed any unprivileged user to access the steward commands on the IRC interface by impersonating the Nickname used by a privileged user as no check was made to see if they were logged in. The issue has been fixed in commit 23d9d5b0a59667a5d6816fdabb960b537a5f9ed1."}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 8.2, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N", "version": "3.1"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-284", "description": "CWE-284: Improper Access Control", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2020-04-09T13:47:09.000Z", "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M"}, "references": [{"tags": ["x_refsource_CONFIRM"], "url": "https://github.com/examknow/MH-WikiBot/security/advisories/GHSA-7hf3-wvp8-34r9"}, {"tags": ["x_refsource_MISC"], "url": "https://github.com/examknow/MH-WikiBot/compare/2eac90d...1a62da1"}], "source": {"advisory": "GHSA-7hf3-wvp8-34r9", "discovery": "UNKNOWN"}, "title": "unprivileged user can access priviledged action in MH-WikiBot", "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "security-advisories@github.com", "ID": "CVE-2020-5302", "STATE": "PUBLIC", "TITLE": "unprivileged user can access priviledged action in MH-WikiBot"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "MH-WikiBot", "version": {"version_data": [{"version_value": "< commit 23d9d5b0a59667a5d6816fdabb960b537a5f9ed1"}]}}]}, "vendor_name": "examknow"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "MH-WikiBot (an IRC Bot for interacting with the Miraheze API), had a bug that allowed any unprivileged user to access the steward commands on the IRC interface by impersonating the Nickname used by a privileged user as no check was made to see if they were logged in. The issue has been fixed in commit 23d9d5b0a59667a5d6816fdabb960b537a5f9ed1."}]}, "impact": {"cvss": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 8.2, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N", "version": "3.1"}}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-284: Improper Access Control"}]}]}, "references": {"reference_data": [{"name": "https://github.com/examknow/MH-WikiBot/security/advisories/GHSA-7hf3-wvp8-34r9", "refsource": "CONFIRM", "url": "https://github.com/examknow/MH-WikiBot/security/advisories/GHSA-7hf3-wvp8-34r9"}, {"name": "https://github.com/examknow/MH-WikiBot/compare/2eac90d...1a62da1", "refsource": "MISC", "url": "https://github.com/examknow/MH-WikiBot/compare/2eac90d...1a62da1"}]}, "source": {"advisory": "GHSA-7hf3-wvp8-34r9", "discovery": "UNKNOWN"}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-04T08:22:09.088Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://github.com/examknow/MH-WikiBot/security/advisories/GHSA-7hf3-wvp8-34r9"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/examknow/MH-WikiBot/compare/2eac90d...1a62da1"}]}]}, "cveMetadata": {"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "assignerShortName": "GitHub_M", "cveId": "CVE-2020-5302", "datePublished": "2020-04-07T15:40:14.000Z", "dateReserved": "2020-01-02T00:00:00.000Z", "dateUpdated": "2024-08-04T08:22:09.088Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:mh-wikibot_project:mh-wikibot:*:*:*:*:*:*:*:*", "matchCriteriaId": "F2B3F798-2FEF-4D2C-BCC7-B2DD4ED16D21", "versionEndExcluding": "2020-04-06", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "MH-WikiBot (an IRC Bot for interacting with the Miraheze API), had a bug that allowed any unprivileged user to access the steward commands on the IRC interface by impersonating the Nickname used by a privileged user as no check was made to see if they were logged in. The issue has been fixed in commit 23d9d5b0a59667a5d6816fdabb960b537a5f9ed1."}, {"lang": "es", "value": "MH-WikiBot (un IRC Bot para interactuar con la API Miraheze), presenta un bug que permit\u00eda a cualquier usuario no privilegiado acceder a los comandos de administrador en la interfaz IRC al suplantar el Nickname usado por un usuario privilegiado, ya que no se realiz\u00f3 ninguna comprobaci\u00f3n para ver si iniciaron sesi\u00f3n. El problema ha sido corregido en el commit 23d9d5b0a59667a5d6816fdabb960b537a5f9ed1."}], "id": "CVE-2020-5302", "lastModified": "2024-11-21T05:33:52.187", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 6.4, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 4.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 8.2, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 4.7, "source": "security-advisories@github.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 2.5, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2020-04-07T16:15:18.557", "references": [{"source": "security-advisories@github.com", "url": "https://github.com/examknow/MH-WikiBot/compare/2eac90d...1a62da1"}, {"source": "security-advisories@github.com", "tags": ["Third Party Advisory"], "url": "https://github.com/examknow/MH-WikiBot/security/advisories/GHSA-7hf3-wvp8-34r9"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://github.com/examknow/MH-WikiBot/compare/2eac90d...1a62da1"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "https://github.com/examknow/MH-WikiBot/security/advisories/GHSA-7hf3-wvp8-34r9"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-284"}], "source": "security-advisories@github.com", "type": "Secondary"}, {"description": [{"lang": "en", "value": "CWE-269"}], "source": "nvd@nist.gov", "type": "Primary"}]}