CVE-2024-45307

Sept. 7, 2024, 1:34 a.m.

Tags

security-advisories@github.com
CWE-285
CWE-862
2024-09-03
CVE-2024-45307

CVSS Score

9.8 / 10

Products Impacted

Vendor Product Versions
onesoftnet
  • sudobot
  • *

Description

SudoBot, a Discord moderation bot, is vulnerable to privilege escalation and exploit of the `-config` command in versions prior to 9.26.7. Anyone is theoretically able to update any configuration of the bot and potentially gain control over the bot's settings. Every version of v9 before v9.26.7 is affected. Other versions (e.g. v8) are not affected. Users should upgrade to version 9.26.7 to receive a patch. A workaround would be to create a command permission overwrite in the Database. A SQL statement provided in the GitHub Security Advisor can be executed to create a overwrite that disallows users without `ManageGuild` permission to run the `-config` command. Run the SQL statement for every server the bot is in, and replace `<guild_id>` with the appropriate Guild ID each time.

Weaknesses

CWE-285
Improper Authorization

The product does not perform or incorrectly performs an authorization check when an actor attempts to access a resource or perform an action.

CWE ID: 285
CWE-862
Missing Authorization

The product does not perform an authorization check when an actor attempts to access a resource or perform an action.

CWE ID: 862

Date

Published: Sept. 3, 2024, 7:15 p.m.

Last Modified: Sept. 7, 2024, 1:34 a.m.

Status : Analyzed

CVE has been marked for Analysis. Normally once in this state the CVE will be analyzed by NVD staff within 24 hours.

More info

Source

security-advisories@github.com

CPEs

Type Vendor Product Version Update Edition Language Software Edition Target Software Target Hardware Other Information
a onesoftnet sudobot / / / / / / / /

CVSS Data

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

Base Score
9.8
Exploitability Score
3.9
Impact Score
5.9
Base Severity
CRITICAL
CVSS Vector String

The CVSS vector string provides an in-depth view of the vulnerability metrics.

View Vector String

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References

https://github.com/onesoft-sudo/sudobot/commit/ef46ca98562f3c1abef4ff7dd94d8f7b8155ee50
security-advisories@github.com
https://github.com/onesoft-sudo/sudobot/security/advisories/GHSA-crgg-w3rr-r9h4
security-advisories@github.com