CVE-2022-23604 - OpenCVE

x26-Cogs is a repository of cogs made by Twentysix for the Red Discord bot. Among these cogs is the Defender cog, a tool for Discord server moderation. A vulnerability in the Defender cog prior to version 1.10.0 allows users with admin privileges to issue commands as other users who share the same server. If a bot owner shares the same server as the attacker, it is possible for the attacker to issue bot-owner restricted commands. The issue has been patched in version 1.10.0. One may unload the Defender cog as a workaround.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

Access Vector Network

Access Complexity Low

Authentication Single

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

AV:N/AC:L/Au:S/C:P/I:P/A:P

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
X26-cogs Project	X26-cogs

Configuration 1 [-]

cpe:2.3:a:x26-cogs_project:x26-cogs:*:*:*:*:*:*:*:*

No data.

References

Link	Providers
https://github.com/Twentysix26/x26-Cogs/commit/72dd9323cb4c90f3a5accac7087605375d178246
https://github.com/Twentysix26/x26-Cogs/releases/tag/v1.10
https://github.com/Twentysix26/x26-Cogs/security/advisories/GHSA-cfh8-v56j-5757

History

No history.

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2022-02-15T15:40:11

Updated: 2024-08-03T03:43:46.888Z

Reserved: 2022-01-19T00:00:00

Link: CVE-2022-23604

Vulnrichment

No data.

NVD

Status : Analyzed

Published: 2022-02-15T16:15:09.000

Modified: 2022-02-24T02:26:05.927

Link: CVE-2022-23604

Redhat

No data.

{"containers": {"cna": {"affected": [{"product": "x26-Cogs", "vendor": "Twentysix26", "versions": [{"status": "affected", "version": "< 1.10.0"}]}], "descriptions": [{"lang": "en", "value": "x26-Cogs is a repository of cogs made by Twentysix for the Red Discord bot. Among these cogs is the Defender cog, a tool for Discord server moderation. A vulnerability in the Defender cog prior to version 1.10.0 allows users with admin privileges to issue commands as other users who share the same server. If a bot owner shares the same server as the attacker, it is possible for the attacker to issue bot-owner restricted commands. The issue has been patched in version 1.10.0. One may unload the Defender cog as a workaround."}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-269", "description": "CWE-269: Improper Privilege Management", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2022-02-15T15:40:11", "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M"}, "references": [{"tags": ["x_refsource_CONFIRM"], "url": "https://github.com/Twentysix26/x26-Cogs/security/advisories/GHSA-cfh8-v56j-5757"}, {"tags": ["x_refsource_MISC"], "url": "https://github.com/Twentysix26/x26-Cogs/commit/72dd9323cb4c90f3a5accac7087605375d178246"}, {"tags": ["x_refsource_MISC"], "url": "https://github.com/Twentysix26/x26-Cogs/releases/tag/v1.10"}], "source": {"advisory": "GHSA-cfh8-v56j-5757", "discovery": "UNKNOWN"}, "title": "Privilege escalation in Defender", "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "security-advisories@github.com", "ID": "CVE-2022-23604", "STATE": "PUBLIC", "TITLE": "Privilege escalation in Defender"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "x26-Cogs", "version": {"version_data": [{"version_value": "< 1.10.0"}]}}]}, "vendor_name": "Twentysix26"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "x26-Cogs is a repository of cogs made by Twentysix for the Red Discord bot. Among these cogs is the Defender cog, a tool for Discord server moderation. A vulnerability in the Defender cog prior to version 1.10.0 allows users with admin privileges to issue commands as other users who share the same server. If a bot owner shares the same server as the attacker, it is possible for the attacker to issue bot-owner restricted commands. The issue has been patched in version 1.10.0. One may unload the Defender cog as a workaround."}]}, "impact": {"cvss": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-269: Improper Privilege Management"}]}]}, "references": {"reference_data": [{"name": "https://github.com/Twentysix26/x26-Cogs/security/advisories/GHSA-cfh8-v56j-5757", "refsource": "CONFIRM", "url": "https://github.com/Twentysix26/x26-Cogs/security/advisories/GHSA-cfh8-v56j-5757"}, {"name": "https://github.com/Twentysix26/x26-Cogs/commit/72dd9323cb4c90f3a5accac7087605375d178246", "refsource": "MISC", "url": "https://github.com/Twentysix26/x26-Cogs/commit/72dd9323cb4c90f3a5accac7087605375d178246"}, {"name": "https://github.com/Twentysix26/x26-Cogs/releases/tag/v1.10", "refsource": "MISC", "url": "https://github.com/Twentysix26/x26-Cogs/releases/tag/v1.10"}]}, "source": {"advisory": "GHSA-cfh8-v56j-5757", "discovery": "UNKNOWN"}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T03:43:46.888Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://github.com/Twentysix26/x26-Cogs/security/advisories/GHSA-cfh8-v56j-5757"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/Twentysix26/x26-Cogs/commit/72dd9323cb4c90f3a5accac7087605375d178246"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/Twentysix26/x26-Cogs/releases/tag/v1.10"}]}]}, "cveMetadata": {"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "assignerShortName": "GitHub_M", "cveId": "CVE-2022-23604", "datePublished": "2022-02-15T15:40:11", "dateReserved": "2022-01-19T00:00:00", "dateUpdated": "2024-08-03T03:43:46.888Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:x26-cogs_project:x26-cogs:*:*:*:*:*:*:*:*", "matchCriteriaId": "0244BB5C-D961-4BD3-AB3E-7E7448F414BA", "versionEndExcluding": "1.10.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "x26-Cogs is a repository of cogs made by Twentysix for the Red Discord bot. Among these cogs is the Defender cog, a tool for Discord server moderation. A vulnerability in the Defender cog prior to version 1.10.0 allows users with admin privileges to issue commands as other users who share the same server. If a bot owner shares the same server as the attacker, it is possible for the attacker to issue bot-owner restricted commands. The issue has been patched in version 1.10.0. One may unload the Defender cog as a workaround."}, {"lang": "es", "value": "x26-Cogs es un repositorio de cogs hecho por Twentysix para el bot Red Discord. Entre estos engranajes es encontrado el engranaje Defender, una herramienta para la moderaci\u00f3n del servidor de Discord. Una vulnerabilidad en Defender cog versiones anteriores a 1.10.0, permite a usuarios con privilegios de administrador emitir comandos como otros usuarios que comparten el mismo servidor. Si el propietario de un bot comparte el mismo servidor que el atacante, es posible que \u00e9ste emita comandos restringidos al propietario del bot. El problema ha sido parcheado en versi\u00f3n 1.10.0. Puede descargarse el engranaje Defender como medida de mitigaci\u00f3n"}], "id": "CVE-2022-23604", "lastModified": "2022-02-24T02:26:05.927", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "SINGLE", "availabilityImpact": "PARTIAL", "baseScore": 6.5, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 8.0, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.2, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.2, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.9, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2022-02-15T16:15:09.000", "references": [{"source": "security-advisories@github.com", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/Twentysix26/x26-Cogs/commit/72dd9323cb4c90f3a5accac7087605375d178246"}, {"source": "security-advisories@github.com", "tags": ["Release Notes", "Third Party Advisory"], "url": "https://github.com/Twentysix26/x26-Cogs/releases/tag/v1.10"}, {"source": "security-advisories@github.com", "tags": ["Issue Tracking", "Third Party Advisory"], "url": "https://github.com/Twentysix26/x26-Cogs/security/advisories/GHSA-cfh8-v56j-5757"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "NVD-CWE-noinfo"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-269"}], "source": "security-advisories@github.com", "type": "Secondary"}]}