CVE-2024-21624 - OpenCVE

nonebot2 is a cross-platform Python asynchronous chatbot framework written in Python. This security advisory pertains to a potential information leak (e.g., environment variables) in instances where developers utilize `MessageTemplate` and incorporate user-provided data into templates. The identified vulnerability has been remedied in pull request #2509 and will be included in versions released from 2.2.0. Users are strongly advised to upgrade to these patched versions to safeguard against the vulnerability. A temporary workaround involves filtering underscores before incorporating user input into the message template.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction Required

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Nonebot	Nonebot

Configuration 1 [-]

OR	cpe:2.3:a:nonebot:nonebot::::::::
	cpe:2.3:a:nonebot:nonebot:2.0.0:-::::::
	cpe:2.3:a:nonebot:nonebot:2.0.0:alpha16::::::
	cpe:2.3:a:nonebot:nonebot:2.0.0:beta1::::::
	cpe:2.3:a:nonebot:nonebot:2.0.0:beta2::::::
	cpe:2.3:a:nonebot:nonebot:2.0.0:beta3::::::
	cpe:2.3:a:nonebot:nonebot:2.0.0:beta4::::::
	cpe:2.3:a:nonebot:nonebot:2.0.0:beta5::::::
	cpe:2.3:a:nonebot:nonebot:2.0.0:rc1::::::
	cpe:2.3:a:nonebot:nonebot:2.0.0:rc2::::::
	cpe:2.3:a:nonebot:nonebot:2.0.0:rc3::::::
	cpe:2.3:a:nonebot:nonebot:2.0.0:rc4::::::

No data.

References

Link	Providers
https://github.com/nonebot/nonebot2/pull/2509
https://github.com/nonebot/nonebot2/security/advisories/GHSA-59j8-776v-xxxg

History

No history.

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2024-02-09T22:16:49.974Z

Updated: 2024-08-01T22:27:35.692Z

Reserved: 2023-12-29T03:00:44.953Z

Link: CVE-2024-21624

Vulnrichment

Updated: 2024-08-01T22:27:35.692Z

NVD

Status : Analyzed

Published: 2024-02-09T23:15:08.553

Modified: 2024-02-16T13:52:53.357

Link: CVE-2024-21624

Redhat

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-21624", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2023-12-29T03:00:44.953Z", "datePublished": "2024-02-09T22:16:49.974Z", "dateUpdated": "2024-08-01T22:27:35.692Z"}, "containers": {"cna": {"title": "Potential Information Leak in User-Constructed Message Templates in nonebot2", "problemTypes": [{"descriptions": [{"cweId": "CWE-200", "lang": "en", "description": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.7, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/nonebot/nonebot2/security/advisories/GHSA-59j8-776v-xxxg", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/nonebot/nonebot2/security/advisories/GHSA-59j8-776v-xxxg"}, {"name": "https://github.com/nonebot/nonebot2/pull/2509", "tags": ["x_refsource_MISC"], "url": "https://github.com/nonebot/nonebot2/pull/2509"}], "affected": [{"vendor": "nonebot", "product": "nonebot2", "versions": [{"version": ">= 2.0.0a16, < 2.2.0", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2024-02-09T22:16:49.974Z"}, "descriptions": [{"lang": "en", "value": "nonebot2 is a cross-platform Python asynchronous chatbot framework written in Python. This security advisory pertains to a potential information leak (e.g., environment variables) in instances where developers utilize `MessageTemplate` and incorporate user-provided data into templates. The identified vulnerability has been remedied in pull request #2509 and will be included in versions released from 2.2.0. Users are strongly advised to upgrade to these patched versions to safeguard against the vulnerability. A temporary workaround involves filtering underscores before incorporating user input into the message template."}], "source": {"advisory": "GHSA-59j8-776v-xxxg", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-21624", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-02-11T17:00:54.232350Z"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-07-05T17:20:49.630Z"}}, {"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-01T22:27:35.692Z"}, "title": "CVE Program Container", "references": [{"name": "https://github.com/nonebot/nonebot2/security/advisories/GHSA-59j8-776v-xxxg", "tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://github.com/nonebot/nonebot2/security/advisories/GHSA-59j8-776v-xxxg"}, {"name": "https://github.com/nonebot/nonebot2/pull/2509", "tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/nonebot/nonebot2/pull/2509"}]}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://github.com/nonebot/nonebot2/security/advisories/GHSA-59j8-776v-xxxg", "name": "https://github.com/nonebot/nonebot2/security/advisories/GHSA-59j8-776v-xxxg", "tags": ["x_refsource_CONFIRM", "x_transferred"]}, {"url": "https://github.com/nonebot/nonebot2/pull/2509", "name": "https://github.com/nonebot/nonebot2/pull/2509", "tags": ["x_refsource_MISC", "x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-01T22:27:35.692Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-21624", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-02-11T17:00:54.232350Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-07-05T15:20:36.919Z"}}], "cna": {"title": "Potential Information Leak in User-Constructed Message Templates in nonebot2", "source": {"advisory": "GHSA-59j8-776v-xxxg", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.7, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "nonebot", "product": "nonebot2", "versions": [{"status": "affected", "version": ">= 2.0.0a16, < 2.2.0"}]}], "references": [{"url": "https://github.com/nonebot/nonebot2/security/advisories/GHSA-59j8-776v-xxxg", "name": "https://github.com/nonebot/nonebot2/security/advisories/GHSA-59j8-776v-xxxg", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/nonebot/nonebot2/pull/2509", "name": "https://github.com/nonebot/nonebot2/pull/2509", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "nonebot2 is a cross-platform Python asynchronous chatbot framework written in Python. This security advisory pertains to a potential information leak (e.g., environment variables) in instances where developers utilize `MessageTemplate` and incorporate user-provided data into templates. The identified vulnerability has been remedied in pull request #2509 and will be included in versions released from 2.2.0. Users are strongly advised to upgrade to these patched versions to safeguard against the vulnerability. A temporary workaround involves filtering underscores before incorporating user input into the message template."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-200", "description": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2024-02-09T22:16:49.974Z"}}}, "cveMetadata": {"cveId": "CVE-2024-21624", "state": "PUBLISHED", "dateUpdated": "2024-08-01T22:27:35.692Z", "dateReserved": "2023-12-29T03:00:44.953Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2024-02-09T22:16:49.974Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:nonebot:nonebot:*:*:*:*:*:*:*:*", "matchCriteriaId": "48D76A37-92D4-435B-8E50-798D10E7E452", "versionEndExcluding": "2.2.0", "versionStartIncluding": "2.0.1", "vulnerable": true}, {"criteria": "cpe:2.3:a:nonebot:nonebot:2.0.0:-:*:*:*:*:*:*", "matchCriteriaId": "465F6B52-66C6-4227-9EDE-CE2B532DF86F", "vulnerable": true}, {"criteria": "cpe:2.3:a:nonebot:nonebot:2.0.0:alpha16:*:*:*:*:*:*", "matchCriteriaId": "E33D41DF-25CA-475D-A068-ABB2BB8F0756", "vulnerable": true}, {"criteria": "cpe:2.3:a:nonebot:nonebot:2.0.0:beta1:*:*:*:*:*:*", "matchCriteriaId": "6C2A7A44-E383-4FC5-9471-7F7D142EE5B5", "vulnerable": true}, {"criteria": "cpe:2.3:a:nonebot:nonebot:2.0.0:beta2:*:*:*:*:*:*", "matchCriteriaId": "97E334E2-1BBD-49F4-9DB6-6030539246B5", "vulnerable": true}, {"criteria": "cpe:2.3:a:nonebot:nonebot:2.0.0:beta3:*:*:*:*:*:*", "matchCriteriaId": "A73B180B-3EC8-4050-8E2F-F879097D5349", "vulnerable": true}, {"criteria": "cpe:2.3:a:nonebot:nonebot:2.0.0:beta4:*:*:*:*:*:*", "matchCriteriaId": "A4940243-0FAD-46CB-83AD-28D131B0C33D", "vulnerable": true}, {"criteria": "cpe:2.3:a:nonebot:nonebot:2.0.0:beta5:*:*:*:*:*:*", "matchCriteriaId": "882E455A-7665-4E87-A000-24F3BAD30574", "vulnerable": true}, {"criteria": "cpe:2.3:a:nonebot:nonebot:2.0.0:rc1:*:*:*:*:*:*", "matchCriteriaId": "3735223E-557B-4B99-849F-EA965A478B12", "vulnerable": true}, {"criteria": "cpe:2.3:a:nonebot:nonebot:2.0.0:rc2:*:*:*:*:*:*", "matchCriteriaId": "4AE1E1EC-D01B-41ED-8268-2725C67E92EC", "vulnerable": true}, {"criteria": "cpe:2.3:a:nonebot:nonebot:2.0.0:rc3:*:*:*:*:*:*", "matchCriteriaId": "00EAA913-619A-4999-866C-BC7F44E84FA9", "vulnerable": true}, {"criteria": "cpe:2.3:a:nonebot:nonebot:2.0.0:rc4:*:*:*:*:*:*", "matchCriteriaId": "E3411B5D-14F4-4BA0-AF2A-CBF789F5BEE9", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "nonebot2 is a cross-platform Python asynchronous chatbot framework written in Python. This security advisory pertains to a potential information leak (e.g., environment variables) in instances where developers utilize `MessageTemplate` and incorporate user-provided data into templates. The identified vulnerability has been remedied in pull request #2509 and will be included in versions released from 2.2.0. Users are strongly advised to upgrade to these patched versions to safeguard against the vulnerability. A temporary workaround involves filtering underscores before incorporating user input into the message template."}, {"lang": "es", "value": "nonebot2 es un framework de chatbot asincr\u00f3nico de Python multiplataforma escrito en Python. Este aviso de seguridad se refiere a una posible fuga de informaci\u00f3n (por ejemplo, variables de entorno) en casos en los que los desarrolladores utilizan \"MessageTemplate\" e incorporan datos proporcionados por el usuario en plantillas. La vulnerabilidad identificada se solucion\u00f3 en la solicitud de extracci\u00f3n n.\u00b0 2509 y se incluir\u00e1 en las versiones lanzadas a partir de la 2.2.0. Se recomienda encarecidamente a los usuarios que actualicen a estas versiones parcheadas para protegerse contra la vulnerabilidad. Una soluci\u00f3n temporal implica filtrar los guiones bajos antes de incorporar la entrada del usuario en la plantilla del mensaje."}], "id": "CVE-2024-21624", "lastModified": "2024-02-16T13:52:53.357", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.7, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.1, "impactScore": 3.6, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2024-02-09T23:15:08.553", "references": [{"source": "security-advisories@github.com", "tags": ["Issue Tracking", "Patch"], "url": "https://github.com/nonebot/nonebot2/pull/2509"}, {"source": "security-advisories@github.com", "tags": ["Vendor Advisory"], "url": "https://github.com/nonebot/nonebot2/security/advisories/GHSA-59j8-776v-xxxg"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "NVD-CWE-noinfo"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-200"}], "source": "security-advisories@github.com", "type": "Secondary"}]}