CVE-2021-37696 - OpenCVE

tmerc-cogs are a collection of open source plugins for the Red Discord bot. A vulnerability has been found in the code that allows any user to access sensitive information by crafting a specific MassDM message. Issue is patched in commit 92325be650a6c17940cc52611797533ed95dbbe1. All users are advised to update to the current commit. As a workaround users may unload the MassDM cog or globally disable the `[p]massdm` command.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact Low

Availability Impact None

User Interaction None

No CVSS v3.0

Access Vector Network

Access Complexity Low

Authentication Single

Confidentiality Impact Partial

Integrity Impact None

Availability Impact None

AV:N/AC:L/Au:S/C:P/I:N/A:N

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Tmerc-cogs Project	Tmerc-cogs

Configuration 1 [-]

cpe:2.3:a:tmerc-cogs_project:tmerc-cogs:*:*:*:*:*:*:*:*

No data.

References

Link	Providers
https://github.com/tmercswims/tmerc-cogs/commit/92325be650a6c17940cc5
https://github.com/tmercswims/tmerc-cogs/security/advisories/GHSA-ffhm-9c8j-wx9h

History

No history.

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2021-08-11T22:55:09

Updated: 2024-08-04T01:23:01.525Z

Reserved: 2021-07-29T00:00:00

Link: CVE-2021-37696

Vulnrichment

No data.

NVD

Status : Analyzed

Published: 2021-08-11T23:15:07.953

Modified: 2021-08-20T18:20:30.977

Link: CVE-2021-37696

Redhat

No data.

{"containers": {"cna": {"affected": [{"product": "tmerc-cogs", "vendor": "tmercswims", "versions": [{"status": "affected", "version": "< 92325be650a6c17940cc5"}]}], "descriptions": [{"lang": "en", "value": "tmerc-cogs are a collection of open source plugins for the Red Discord bot. A vulnerability has been found in the code that allows any user to access sensitive information by crafting a specific MassDM message. Issue is patched in commit 92325be650a6c17940cc52611797533ed95dbbe1. All users are advised to update to the current commit. As a workaround users may unload the MassDM cog or globally disable the `[p]massdm` command."}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N", "version": "3.1"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-306", "description": "CWE-306: Missing Authentication for Critical Function", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2021-08-11T22:55:09", "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M"}, "references": [{"tags": ["x_refsource_CONFIRM"], "url": "https://github.com/tmercswims/tmerc-cogs/security/advisories/GHSA-ffhm-9c8j-wx9h"}, {"tags": ["x_refsource_MISC"], "url": "https://github.com/tmercswims/tmerc-cogs/commit/92325be650a6c17940cc5"}], "source": {"advisory": "GHSA-ffhm-9c8j-wx9h", "discovery": "UNKNOWN"}, "title": "Sensitive information leak in MassDM of tmerc-cogs", "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "security-advisories@github.com", "ID": "CVE-2021-37696", "STATE": "PUBLIC", "TITLE": "Sensitive information leak in MassDM of tmerc-cogs"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "tmerc-cogs", "version": {"version_data": [{"version_value": "< 92325be650a6c17940cc5"}]}}]}, "vendor_name": "tmercswims"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "tmerc-cogs are a collection of open source plugins for the Red Discord bot. A vulnerability has been found in the code that allows any user to access sensitive information by crafting a specific MassDM message. Issue is patched in commit 92325be650a6c17940cc52611797533ed95dbbe1. All users are advised to update to the current commit. As a workaround users may unload the MassDM cog or globally disable the `[p]massdm` command."}]}, "impact": {"cvss": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N", "version": "3.1"}}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-306: Missing Authentication for Critical Function"}]}]}, "references": {"reference_data": [{"name": "https://github.com/tmercswims/tmerc-cogs/security/advisories/GHSA-ffhm-9c8j-wx9h", "refsource": "CONFIRM", "url": "https://github.com/tmercswims/tmerc-cogs/security/advisories/GHSA-ffhm-9c8j-wx9h"}, {"name": "https://github.com/tmercswims/tmerc-cogs/commit/92325be650a6c17940cc5", "refsource": "MISC", "url": "https://github.com/tmercswims/tmerc-cogs/commit/92325be650a6c17940cc5"}]}, "source": {"advisory": "GHSA-ffhm-9c8j-wx9h", "discovery": "UNKNOWN"}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-04T01:23:01.525Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://github.com/tmercswims/tmerc-cogs/security/advisories/GHSA-ffhm-9c8j-wx9h"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/tmercswims/tmerc-cogs/commit/92325be650a6c17940cc5"}]}]}, "cveMetadata": {"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "assignerShortName": "GitHub_M", "cveId": "CVE-2021-37696", "datePublished": "2021-08-11T22:55:09", "dateReserved": "2021-07-29T00:00:00", "dateUpdated": "2024-08-04T01:23:01.525Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:tmerc-cogs_project:tmerc-cogs:*:*:*:*:*:*:*:*", "matchCriteriaId": "7CA632EB-C1C0-495D-ADDC-BA9FC86829B6", "versionEndExcluding": "3.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "tmerc-cogs are a collection of open source plugins for the Red Discord bot. A vulnerability has been found in the code that allows any user to access sensitive information by crafting a specific MassDM message. Issue is patched in commit 92325be650a6c17940cc52611797533ed95dbbe1. All users are advised to update to the current commit. As a workaround users may unload the MassDM cog or globally disable the `[p]massdm` command."}, {"lang": "es", "value": "tmerc-cogs son una colecci\u00f3n de plugins de c\u00f3digo abierto para el bot Red Discord. Se ha encontrado una vulnerabilidad en el c\u00f3digo que permite a cualquier usuario acceder a informaci\u00f3n confidencial dise\u00f1ando un mensaje MassDM espec\u00edfico. El problema est\u00e1 parcheado en el commit 92325be650a6c17940cc52611797533ed95dbbe1. Se recomienda a todos los usuarios que actualicen a la confirmaci\u00f3n actual. Como soluci\u00f3n, los usuarios pueden descargar el engranaje MassDM o desactivar globalmente el comando \"[p]massdm\""}], "id": "CVE-2021-37696", "lastModified": "2021-08-20T18:20:30.977", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "SINGLE", "availabilityImpact": "NONE", "baseScore": 4.0, "confidentialityImpact": "PARTIAL", "integrityImpact": "NONE", "vectorString": "AV:N/AC:L/Au:S/C:P/I:N/A:N", "version": "2.0"}, "exploitabilityScore": 8.0, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 4.2, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2021-08-11T23:15:07.953", "references": [{"source": "security-advisories@github.com", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/tmercswims/tmerc-cogs/commit/92325be650a6c17940cc5"}, {"source": "security-advisories@github.com", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/tmercswims/tmerc-cogs/security/advisories/GHSA-ffhm-9c8j-wx9h"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "NVD-CWE-noinfo"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-306"}], "source": "security-advisories@github.com", "type": "Secondary"}]}