CVE-2022-36024 - OpenCVE

py-cord is a an API wrapper for Discord written in Python. Bots creating using py-cord version 2.0.0 are vulnerable to remote shutdown if they are added to the server with the `application.commands` scope without the `bot` scope. Currently, it appears that all public bots that use slash commands are affected. This issue has been patched in version 2.0.1. There are currently no recommended workarounds - please upgrade to a patched version.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Pycord Development	Pycord

Configuration 1 [-]

cpe:2.3:a:pycord_development:pycord:2.0.0:*:*:*:*:discord:*:*

No data.

References

Link	Providers
https://github.com/Pycord-Development/pycord/pull/1568
https://github.com/Pycord-Development/pycord/security/advisories/GHSA-qmhj-m29v-gvmr

History

No history.

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2022-08-18T14:45:17

Updated: 2024-08-03T09:51:59.928Z

Reserved: 2022-07-15T00:00:00

Link: CVE-2022-36024

Vulnrichment

No data.

NVD

Status : Analyzed

Published: 2022-08-18T15:15:26.243

Modified: 2022-12-09T18:42:36.463

Link: CVE-2022-36024

Redhat

No data.

{"containers": {"cna": {"affected": [{"product": "pycord", "vendor": "Pycord-Development", "versions": [{"status": "affected", "version": "= 2.0.0"}]}], "descriptions": [{"lang": "en", "value": "py-cord is a an API wrapper for Discord written in Python. Bots creating using py-cord version 2.0.0 are vulnerable to remote shutdown if they are added to the server with the `application.commands` scope without the `bot` scope. Currently, it appears that all public bots that use slash commands are affected. This issue has been patched in version 2.0.1. There are currently no recommended workarounds - please upgrade to a patched version."}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-862", "description": "CWE-862: Missing Authorization", "lang": "en", "type": "CWE"}]}, {"descriptions": [{"cweId": "CWE-284", "description": "CWE-284: Improper Access Control", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2022-08-19T19:45:13", "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M"}, "references": [{"tags": ["x_refsource_CONFIRM"], "url": "https://github.com/Pycord-Development/pycord/security/advisories/GHSA-qmhj-m29v-gvmr"}, {"tags": ["x_refsource_MISC"], "url": "https://github.com/Pycord-Development/pycord/pull/1568"}], "source": {"advisory": "GHSA-qmhj-m29v-gvmr", "discovery": "UNKNOWN"}, "title": "Bots using py-cord as discord api wrapper are vulnerable to shutdowns through remote code execution", "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "security-advisories@github.com", "ID": "CVE-2022-36024", "STATE": "PUBLIC", "TITLE": "Bots using py-cord as discord api wrapper are vulnerable to shutdowns through remote code execution"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "pycord", "version": {"version_data": [{"version_value": "= 2.0.0"}]}}]}, "vendor_name": "Pycord-Development"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "py-cord is a an API wrapper for Discord written in Python. Bots creating using py-cord version 2.0.0 are vulnerable to remote shutdown if they are added to the server with the `application.commands` scope without the `bot` scope. Currently, it appears that all public bots that use slash commands are affected. This issue has been patched in version 2.0.1. There are currently no recommended workarounds - please upgrade to a patched version."}]}, "impact": {"cvss": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-862: Missing Authorization"}]}, {"description": [{"lang": "eng", "value": "CWE-284: Improper Access Control"}]}]}, "references": {"reference_data": [{"name": "https://github.com/Pycord-Development/pycord/security/advisories/GHSA-qmhj-m29v-gvmr", "refsource": "CONFIRM", "url": "https://github.com/Pycord-Development/pycord/security/advisories/GHSA-qmhj-m29v-gvmr"}, {"name": "https://github.com/Pycord-Development/pycord/pull/1568", "refsource": "MISC", "url": "https://github.com/Pycord-Development/pycord/pull/1568"}]}, "source": {"advisory": "GHSA-qmhj-m29v-gvmr", "discovery": "UNKNOWN"}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T09:51:59.928Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://github.com/Pycord-Development/pycord/security/advisories/GHSA-qmhj-m29v-gvmr"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/Pycord-Development/pycord/pull/1568"}]}]}, "cveMetadata": {"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "assignerShortName": "GitHub_M", "cveId": "CVE-2022-36024", "datePublished": "2022-08-18T14:45:17", "dateReserved": "2022-07-15T00:00:00", "dateUpdated": "2024-08-03T09:51:59.928Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:pycord_development:pycord:2.0.0:*:*:*:*:discord:*:*", "matchCriteriaId": "4904F234-DCCA-442C-952C-2581C552314F", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "py-cord is a an API wrapper for Discord written in Python. Bots creating using py-cord version 2.0.0 are vulnerable to remote shutdown if they are added to the server with the `application.commands` scope without the `bot` scope. Currently, it appears that all public bots that use slash commands are affected. This issue has been patched in version 2.0.1. There are currently no recommended workarounds - please upgrade to a patched version."}, {"lang": "es", "value": "py-cord es una envoltura de API escrita en Python. Los bots que se crean utilizando la versi\u00f3n 2.0.0 de py-cord son vulnerables al cierre remoto si se a\u00f1aden al servidor con el \u00e1mbito `application.commands` sin el \u00e1mbito `bot`. Actualmente, parece que todos los bots p\u00fablicos que usan comandos de barra est\u00e1n afectados. Este problema ha sido corregido en la versi\u00f3n 2.0.1. Actualmente no hay soluciones recomendadas - por favor, actualice a una versi\u00f3n parcheada."}], "id": "CVE-2022-36024", "lastModified": "2022-12-09T18:42:36.463", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2022-08-18T15:15:26.243", "references": [{"source": "security-advisories@github.com", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/Pycord-Development/pycord/pull/1568"}, {"source": "security-advisories@github.com", "tags": ["Third Party Advisory"], "url": "https://github.com/Pycord-Development/pycord/security/advisories/GHSA-qmhj-m29v-gvmr"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-284"}, {"lang": "en", "value": "CWE-862"}], "source": "security-advisories@github.com", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-862"}], "source": "nvd@nist.gov", "type": "Secondary"}]}