CVE-2024-39905 - Vulnerability Details - OpenCVE

Red is a fully modular Discord bot. Due to a bug in Red's Core API, 3rd-party cogs using the `@commands.can_manage_channel()` command permission check without additional permission controls may authorize a user to run a command even when that user doesn't have permissions to manage a channel. None of the core commands or core cogs are affected. The maintainers of the project are not aware of any _public_ 3rd-party cog utilizing this API at the time of writing this advisory. The problem was patched and released in version 3.5.10.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact Low

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00292.

Key SSVC decision points have not yet been added.

No data.

No data.

No data.

No data.

Fixes

Solution

No solution given by the vendor.

Workaround

No workaround given by the vendor.

References

Link	Providers
https://github.com/Cog-Creators/Red-DiscordBot/commit/0b0b23b9717b40ed4f8715720b199417c8e89750
https://github.com/Cog-Creators/Red-DiscordBot/pull/6398
https://github.com/Cog-Creators/Red-DiscordBot/security/advisories/GHSA-5jq8-q6rj-9gq4

History

No history.

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2024-07-11T15:43:34.437Z

Updated: 2024-08-02T04:33:11.321Z

Reserved: 2024-07-02T19:37:18.600Z

Link: CVE-2024-39905

Vulnrichment

Updated: 2024-08-02T04:33:11.321Z

NVD

Status : Awaiting Analysis

Published: 2024-07-11T16:15:05.067

Modified: 2024-11-21T09:28:32.333

Link: CVE-2024-39905

Redhat

No data.

OpenCVE Enrichment

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-39905", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2024-07-02T19:37:18.600Z", "datePublished": "2024-07-11T15:43:34.437Z", "dateUpdated": "2024-08-02T04:33:11.321Z"}, "containers": {"cna": {"title": "Red-DiscordBot vulnerable to Incorrect Authorization in commands API", "problemTypes": [{"descriptions": [{"cweId": "CWE-863", "lang": "en", "description": "CWE-863: Incorrect Authorization", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/Cog-Creators/Red-DiscordBot/security/advisories/GHSA-5jq8-q6rj-9gq4", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/Cog-Creators/Red-DiscordBot/security/advisories/GHSA-5jq8-q6rj-9gq4"}, {"name": "https://github.com/Cog-Creators/Red-DiscordBot/pull/6398", "tags": ["x_refsource_MISC"], "url": "https://github.com/Cog-Creators/Red-DiscordBot/pull/6398"}, {"name": "https://github.com/Cog-Creators/Red-DiscordBot/commit/0b0b23b9717b40ed4f8715720b199417c8e89750", "tags": ["x_refsource_MISC"], "url": "https://github.com/Cog-Creators/Red-DiscordBot/commit/0b0b23b9717b40ed4f8715720b199417c8e89750"}], "affected": [{"vendor": "Cog-Creators", "product": "Red-DiscordBot", "versions": [{"version": ">= 3.5.0, < 3.5.10", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2024-07-11T15:43:34.437Z"}, "descriptions": [{"lang": "en", "value": "Red is a fully modular Discord bot. Due to a bug in Red's Core API, 3rd-party cogs using the `@commands.can_manage_channel()` command permission check without additional permission controls may authorize a user to run a command even when that user doesn't have permissions to manage a channel. None of the core commands or core cogs are affected. The maintainers of the project are not aware of any _public_ 3rd-party cog utilizing this API at the time of writing this advisory. The problem was patched and released in version 3.5.10."}], "source": {"advisory": "GHSA-5jq8-q6rj-9gq4", "discovery": "UNKNOWN"}}, "adp": [{"affected": [{"vendor": "cogboard", "product": "red_discord_bot", "cpes": ["cpe:2.3:a:cogboard:red_discord_bot:3.5.0:*:*:*:*:*:*:*"], "defaultStatus": "unknown", "versions": [{"version": "3.5.0", "status": "affected", "lessThan": "3.5.10", "versionType": "custom"}]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2024-07-12T18:05:25.225801Z", "id": "CVE-2024-39905", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-07-12T18:08:15.664Z"}}, {"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T04:33:11.321Z"}, "title": "CVE Program Container", "references": [{"name": "https://github.com/Cog-Creators/Red-DiscordBot/security/advisories/GHSA-5jq8-q6rj-9gq4", "tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://github.com/Cog-Creators/Red-DiscordBot/security/advisories/GHSA-5jq8-q6rj-9gq4"}, {"name": "https://github.com/Cog-Creators/Red-DiscordBot/pull/6398", "tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/Cog-Creators/Red-DiscordBot/pull/6398"}, {"name": "https://github.com/Cog-Creators/Red-DiscordBot/commit/0b0b23b9717b40ed4f8715720b199417c8e89750", "tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/Cog-Creators/Red-DiscordBot/commit/0b0b23b9717b40ed4f8715720b199417c8e89750"}]}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://github.com/Cog-Creators/Red-DiscordBot/security/advisories/GHSA-5jq8-q6rj-9gq4", "name": "https://github.com/Cog-Creators/Red-DiscordBot/security/advisories/GHSA-5jq8-q6rj-9gq4", "tags": ["x_refsource_CONFIRM", "x_transferred"]}, {"url": "https://github.com/Cog-Creators/Red-DiscordBot/pull/6398", "name": "https://github.com/Cog-Creators/Red-DiscordBot/pull/6398", "tags": ["x_refsource_MISC", "x_transferred"]}, {"url": "https://github.com/Cog-Creators/Red-DiscordBot/commit/0b0b23b9717b40ed4f8715720b199417c8e89750", "name": "https://github.com/Cog-Creators/Red-DiscordBot/commit/0b0b23b9717b40ed4f8715720b199417c8e89750", "tags": ["x_refsource_MISC", "x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T04:33:11.321Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-39905", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-07-12T18:05:25.225801Z"}}}], "affected": [{"cpes": ["cpe:2.3:a:cogboard:red_discord_bot:3.5.0:*:*:*:*:*:*:*"], "vendor": "cogboard", "product": "red_discord_bot", "versions": [{"status": "affected", "version": "3.5.0", "lessThan": "3.5.10", "versionType": "custom"}], "defaultStatus": "unknown"}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-07-12T18:08:02.247Z"}}], "cna": {"title": "Red-DiscordBot vulnerable to Incorrect Authorization in commands API", "source": {"advisory": "GHSA-5jq8-q6rj-9gq4", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}}], "affected": [{"vendor": "Cog-Creators", "product": "Red-DiscordBot", "versions": [{"status": "affected", "version": ">= 3.5.0, < 3.5.10"}]}], "references": [{"url": "https://github.com/Cog-Creators/Red-DiscordBot/security/advisories/GHSA-5jq8-q6rj-9gq4", "name": "https://github.com/Cog-Creators/Red-DiscordBot/security/advisories/GHSA-5jq8-q6rj-9gq4", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/Cog-Creators/Red-DiscordBot/pull/6398", "name": "https://github.com/Cog-Creators/Red-DiscordBot/pull/6398", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/Cog-Creators/Red-DiscordBot/commit/0b0b23b9717b40ed4f8715720b199417c8e89750", "name": "https://github.com/Cog-Creators/Red-DiscordBot/commit/0b0b23b9717b40ed4f8715720b199417c8e89750", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "Red is a fully modular Discord bot. Due to a bug in Red's Core API, 3rd-party cogs using the `@commands.can_manage_channel()` command permission check without additional permission controls may authorize a user to run a command even when that user doesn't have permissions to manage a channel. None of the core commands or core cogs are affected. The maintainers of the project are not aware of any _public_ 3rd-party cog utilizing this API at the time of writing this advisory. The problem was patched and released in version 3.5.10."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-863", "description": "CWE-863: Incorrect Authorization"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2024-07-11T15:43:34.437Z"}}}, "cveMetadata": {"cveId": "CVE-2024-39905", "state": "PUBLISHED", "dateUpdated": "2024-08-02T04:33:11.321Z", "dateReserved": "2024-07-02T19:37:18.600Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2024-07-11T15:43:34.437Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.1"}

{"descriptions": [{"lang": "en", "value": "Red is a fully modular Discord bot. Due to a bug in Red's Core API, 3rd-party cogs using the `@commands.can_manage_channel()` command permission check without additional permission controls may authorize a user to run a command even when that user doesn't have permissions to manage a channel. None of the core commands or core cogs are affected. The maintainers of the project are not aware of any _public_ 3rd-party cog utilizing this API at the time of writing this advisory. The problem was patched and released in version 3.5.10."}, {"lang": "es", "value": "Red es un bot de Discord totalmente modular. Debido a un error en la API principal de Red, los engranajes de terceros que utilizan la verificaci\u00f3n de permisos del comando `@commands.can_manage_channel()` sin controles de permisos adicionales pueden autorizar a un usuario a ejecutar un comando incluso cuando ese usuario no tiene permisos para administrar un canal. Ninguno de los comandos principales o engranajes principales se ve afectado. Los mantenedores del proyecto no tienen conocimiento de ning\u00fan any _public_ 3rd-party que utilice esta API al momento de escribir este aviso. El problema fue parcheado y lanzado en la versi\u00f3n 3.5.10. "}], "id": "CVE-2024-39905", "lastModified": "2024-11-21T09:28:32.333", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2024-07-11T16:15:05.067", "references": [{"source": "security-advisories@github.com", "url": "https://github.com/Cog-Creators/Red-DiscordBot/commit/0b0b23b9717b40ed4f8715720b199417c8e89750"}, {"source": "security-advisories@github.com", "url": "https://github.com/Cog-Creators/Red-DiscordBot/pull/6398"}, {"source": "security-advisories@github.com", "url": "https://github.com/Cog-Creators/Red-DiscordBot/security/advisories/GHSA-5jq8-q6rj-9gq4"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://github.com/Cog-Creators/Red-DiscordBot/commit/0b0b23b9717b40ed4f8715720b199417c8e89750"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://github.com/Cog-Creators/Red-DiscordBot/pull/6398"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://github.com/Cog-Creators/Red-DiscordBot/security/advisories/GHSA-5jq8-q6rj-9gq4"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-863"}], "source": "security-advisories@github.com", "type": "Secondary"}]}