CVE-2024-21624: Potential Information Leak in User-Constructed Message Templates in nonebot2
First published: Fri Feb 09 2024(Updated: )
### Impact This security advisory pertains to a potential information leak (e.g., environment variables) in instances where developers utilize `MessageTemplate` and incorporate user-provided data into templates. ### Patches The identified vulnerability has been remedied in fix #2509 and will be included in versions released after 2.1.3. Users are strongly advised to upgrade to these patched versions to safeguard against the vulnerability. ### Workarounds A temporary workaround involves filtering underscores before incorporating user input into the message template. ### References - [Pull Request #2509](https://github.com/nonebot/nonebot2/pull/2509) - [CWE-1336](https://cwe.mitre.org/data/definitions/1336.html)
Credit: security-advisories@github.com security-advisories@github.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| pip/nonebot2 | >=2.0.0a16<=2.1.3 | 2.2.0 |
| Nonebot Nonebot | >=2.0.1<2.2.0 | |
| Nonebot Nonebot | =2.0.0 | |
| Nonebot Nonebot | =2.0.0-alpha16 | |
| Nonebot Nonebot | =2.0.0-beta1 | |
| Nonebot Nonebot | =2.0.0-beta2 | |
| Nonebot Nonebot | =2.0.0-beta3 | |
| Nonebot Nonebot | =2.0.0-beta4 | |
| Nonebot Nonebot | =2.0.0-beta5 | |
| Nonebot Nonebot | =2.0.0-rc1 | |
| Nonebot Nonebot | =2.0.0-rc2 | |
| Nonebot Nonebot | =2.0.0-rc3 | |
| Nonebot Nonebot | =2.0.0-rc4 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://github.com/nonebot/nonebot2/security/advisories/GHSA-59j8-776v-xxxg
- https://github.com/nonebot/nonebot2/pull/2509
- https://github.com/nonebot/nonebot2/commit/b65b3b438c95894654fd9081139989c757bdc6c1
- https://nvd.nist.gov/vuln/detail/CVE-2024-21624
- https://github.com/pypa/advisory-database/tree/main/vulns/nonebot2/PYSEC-2024-37.yaml
- https://github.com/advisories/GHSA-59j8-776v-xxxg (Advisory)
- agent/first-publish-date
- agent/title
- agent/weakness
- agent/type
- agent/description
- agent/author
- agent/event
- agent/severity
- agent/remedy
- collector/nvd-api
- source/NVD
- agent/software-canonical-lookup
- agent/software-canonical-lookup-request
- agent/softwarecombine
- collector/nvd-cve
- collector/github-advisory-latest
- source/GitHub
- alias/GHSA-59j8-776v-xxxg
- alias/CVE-2024-21624
- agent/references
- collector/github-advisory
- collector/epss-latest
- source/FIRST
- agent/epss
- collector/mitre-cve
- source/MITRE
- agent/last-modified-date
- agent/trending
- agent/tags
- agent/source
- vendor/nonebot
- canonical/nonebot nonebot
- version/nonebot nonebot/2.0.1
- version/nonebot nonebot/2.0.0
- version/nonebot nonebot/2.0.0-alpha16
- version/nonebot nonebot/2.0.0-beta1
- version/nonebot nonebot/2.0.0-beta2
- version/nonebot nonebot/2.0.0-beta3
- version/nonebot nonebot/2.0.0-beta4
- version/nonebot nonebot/2.0.0-beta5
- version/nonebot nonebot/2.0.0-rc1
- version/nonebot nonebot/2.0.0-rc2
- version/nonebot nonebot/2.0.0-rc3
- version/nonebot nonebot/2.0.0-rc4
- package-manager/pip