GHSA-59j8-776v-xxxg: NoneBot Potential Information Leak in User-Constructed Message Templates

Skip to content

• • Actions

    Automate any workflow

  • Packages

    Host and manage packages

  • Security

    Find and fix vulnerabilities

  • Codespaces

    Instant dev environments

  • Copilot

    Write better code with AI

  • Code review

    Manage code changes

  • Issues

    Plan and track work

  • Discussions

    Collaborate outside of code

• • GitHub Sponsors

    Fund open source developers

*   The ReadME Project
    
    GitHub community articles

• Pricing

Provide feedback

Saved searches****Use saved searches to filter your results more quickly

Sign up

1. GitHub Advisory Database
2. GitHub Reviewed
3. CVE-2024-21624

NoneBot Potential Information Leak in User-Constructed Message Templates

Moderate severity GitHub Reviewed Published Feb 9, 2024 in nonebot/nonebot2 • Updated Feb 9, 2024

Package

pip nonebot2 (pip)

Affected versions

>= 2.0.0a16, <= 2.1.3

Description

Impact

This security advisory pertains to a potential information leak (e.g., environment variables) in instances where developers utilize MessageTemplate and incorporate user-provided data into templates.

Patches

The identified vulnerability has been remedied in fix #2509 and will be included in versions released after 2.1.3. Users are strongly advised to upgrade to these patched versions to safeguard against the vulnerability.

Workarounds

A temporary workaround involves filtering underscores before incorporating user input into the message template.

References

• Pull Request #2509
• CWE-1336

References

• GHSA-59j8-776v-xxxg
• nonebot/nonebot2#2509
• nonebot/nonebot2@b65b3b4

Published to the GitHub Advisory Database

Feb 9, 2024