CVE-2024-45307

{"id": "CVE-2024-45307", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 8.8, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:H", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}, "impactScore": 5.3, "exploitabilityScore": 2.8}, {"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.8, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 3.9}]}, "published": "2024-09-03T19:15:15.033", "references": [{"url": "https://github.com/onesoft-sudo/sudobot/commit/ef46ca98562f3c1abef4ff7dd94d8f7b8155ee50", "tags": ["Patch"], "source": "security-advisories@github.com"}, {"url": "https://github.com/onesoft-sudo/sudobot/security/advisories/GHSA-crgg-w3rr-r9h4", "tags": ["Mitigation", "Vendor Advisory"], "source": "security-advisories@github.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Secondary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-285"}, {"lang": "en", "value": "CWE-862"}]}, {"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-862"}]}], "descriptions": [{"lang": "en", "value": "SudoBot, a Discord moderation bot, is vulnerable to privilege escalation and exploit of the `-config` command in versions prior to 9.26.7. Anyone is theoretically able to update any configuration of the bot and potentially gain control over the bot's settings. Every version of v9 before v9.26.7 is affected. Other versions (e.g. v8) are not affected. Users should upgrade to version 9.26.7 to receive a patch. A workaround would be to create a command permission overwrite in the Database. A SQL statement provided in the GitHub Security Advisor can be executed to create a overwrite that disallows users without `ManageGuild` permission to run the `-config` command. Run the SQL statement for every server the bot is in, and replace `<guild_id>` with the appropriate Guild ID each time."}, {"lang": "es", "value": "SudoBot, un bot de moderaci\u00f3n de Discord, es vulnerable a la escalada de privilegios y al exploit del comando `-config` en versiones anteriores a la 9.26.7. En teor\u00eda, cualquiera puede actualizar cualquier configuraci\u00f3n del bot y potencialmente obtener control sobre las configuraciones del bot. Todas las versiones de v9 anteriores a la v9.26.7 est\u00e1n afectadas. Otras versiones (por ejemplo, v8) no est\u00e1n afectadas. Los usuarios deben actualizar a la versi\u00f3n 9.26.7 para recibir un parche. Un workaround ser\u00eda crear una sobrescritura de permiso de comando en la base de datos. Se puede ejecutar una declaraci\u00f3n SQL provista en el Asesor de seguridad de GitHub para crear una sobrescritura que no permita a los usuarios sin permiso `ManageGuild` ejecutar el comando `-config`. Ejecute la declaraci\u00f3n SQL para cada servidor en el que est\u00e9 el bot y reemplace `` con el ID de gremio apropiado cada vez."}], "lastModified": "2024-09-07T01:34:05.907", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:onesoftnet:sudobot:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "2025DA97-6C1F-4FC0-A724-423878974B08", "versionEndExcluding": "9.26.7", "versionStartIncluding": "9.0.0"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}