漏洞标题
恶意模块开发者可能在Discord-Bot-Framework-Kernel中获取机器人令牌
漏洞描述信息
Discord-Bot-Framework-Kernel 是一个基于 interactions.py 构建的 Discord 机器人框架,具备模块化扩展管理和安全执行功能。由于该框架允许执行任意用户提交的代码,这使得用户可以执行潜在的恶意代码从而造成损害或泄露敏感信息。通过加载包含以下代码的模块并运行命令,可以提取 bot token。然后,攻击者可以加载阻塞模块以破坏机器人(DDoS 攻击),并利用 token 使伪造的机器人冒充真实的机器人。如果该机器人具有非常高的权限,攻击者可以在用户踢出机器人之前拥有完全控制权。在提交 f0d9e70841a0e3170b88c4f8d562018ccd8e8b14 之前的任何 Discord 用户如果部署了 Discord-Bot-Framework-Kernel 都会受到影响。建议用户升级。无法升级的用户可以通过配置选项限制其 Discord 机器人的访问权限。
CVSS信息
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
漏洞类别
敏感数据的明文传输
漏洞标题
Possibility to retrieve bot token by malicious module developers in Discord-Bot-Framework-Kernel
漏洞描述信息
Discord-Bot-Framework-Kernel is a Discord bot framework built with interactions.py, featuring modular extension management and secure execution. Because of the nature of arbitrary user-submited code execution, this allows user to execute potentially malicious code to perform damage or extract sensitive information. By loading the module containing the following code and run the command, the bot token can be extracted. Then the attacker can load a blocking module to sabotage the bot (DDoS attack) and the token can be used to make the fake bot act as the real one. If the bot has very high privilege, the attacker basically has full control before the user kicks the bot. Any Discord user that hosts Discord-Bot-Framework-Kernel before commit f0d9e70841a0e3170b88c4f8d562018ccd8e8b14 is affected. Users are advised to upgrade. Users unable to upgrade may attempt to limit their discord bot's access via configuration options.
CVSS信息
CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:H/A:H
漏洞类别
信息暴露
