Mend.io Vulnerability Database

What is a CVE vulnerability ID? icon What is a WS vulnerability ID? icon What is an MSC vulnerability ID? icon
New vulnerability? Tell us about it!
icon

We found results for “

CVE-2024-21624

Good to know:

icon
icon

Date: February 9, 2024

nonebot2 is a cross-platform Python asynchronous chatbot framework written in Python. This security advisory pertains to a potential information leak (e.g., environment variables) in instances where developers utilize `MessageTemplate` and incorporate user-provided data into templates. The identified vulnerability has been remedied in pull request #2509 and will be included in versions released from 2.2.0. Users are strongly advised to upgrade to these patched versions to safeguard against the vulnerability. A temporary workaround involves filtering underscores before incorporating user input into the message template.

Language: Python

Severity Score

Related Resources (7)

https://github.com/pypa/advisory-database/tree/main/vulns/nonebot2/PYSEC-2024-37.yaml
https://nvd.nist.gov/vuln/detail/CVE-2024-21624
https://github.com/nonebot/nonebot2/commit/b65b3b438c95894654fd9081139989c757bdc6c1
https://github.com/nonebot/nonebot2/security/advisories/GHSA-59j8-776v-xxxg
https://github.com/nonebot/nonebot2
https://github.com/nonebot/nonebot2/pull/2509
https://www.mend.io/vulnerability-database/CVE-2024-21624

Severity Score

Weakness Type (CWE)

Information Leak / Disclosure

CWE-200

Insufficient Information

NVD-CWE-noinfo

Improper Neutralization of Special Elements Used in a Template Engine

CWE-1336

Top Fix

icon

Upgrade Version

Upgrade to version nonebot2 - 2.2.0

Learn More

CVSS v3.1

Base Score:
Attack Vector (AV): NETWORK
Attack Complexity (AC): LOW
Privileges Required (PR): LOW
User Interaction (UI): REQUIRED
Scope (S): UNCHANGED
Confidentiality (C): HIGH
Integrity (I): NONE
Availability (A): NONE

Do you need more information?

Contact Us