8.6

CVSS Score

3.1

Basic Information

CVE ID

CVE-2020-15147

GHSA ID

GHSA-7257-96vg-qf6x

EPSS Score

0.8442%

CWE

CWE-74

Published

8/21/2020

Updated

10/26/2024

KEV Status

Technology

Python

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2020-15147

CVE-2020-15147: Remote Code Execution in Red Discord Bot

Impact

A RCE exploit has been discovered in the Streams module: this exploit allows Discord users with specifically crafted "going live" messages to inject code into the Streams module's going live message. By abusing this exploit, it's possible to perform destructive actions and/or access sensitive information.

Patches

This critical exploit has been fixed on version 3.3.12 & 3.4.

Workarounds

Unloading the Streams module with unload streams can render this exploit not accessible. We still highly recommend updating to 3.3.12 or 3.4 to completely patch this issue.

References

https://github.com/Cog-Creators/Red-DiscordBot/pull/4183

For more information

If you have any questions or comments about this advisory:

Open an issue in Cog-Creators/Red-DiscordBot
Over on our Discord server

(GitHub Advisory)

8.6

CVSS Score

3.1

Basic Information

CVE ID

CVE-2020-15147

GHSA ID

GHSA-7257-96vg-qf6x

EPSS Score

0.8442%

CWE

CWE-74

Published

8/21/2020

Updated

10/26/2024

KEV Status

Technology

Python

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
Red-DiscordBot	pip	<= 3.3.11	3.3.12

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from how user-controlled stream names were handled in message templates. The pre-patch code used .format() with {stream} which evaluates Python expressions if malicious format specifiers are present. The commit e269ea0 shows the fix replaced .format() with .replace() for {stream} and {stream.name}, indicating the original formatting approach was vulnerable to code injection via crafted stream names. The check_streams() function was responsible for processing these live alerts, making it the primary vulnerable function.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

### Imp**t * R** *xploit **s ***n *is*ov*r** in t** Str**ms mo*ul*: t*is *xploit *llows *is*or* us*rs wit* sp**i*i**lly *r**t** "*oin* liv*" m*ss***s to inj**t *o** into t** Str**ms mo*ul*'s *oin* liv* m*ss***. *y **usin* t*is *xploit, it's possi*l*

Reasoning

T** vuln*r**ility st*ms *rom *ow us*r-*ontroll** str**m n*m*s w*r* **n*l** in m*ss*** t*mpl*t*s. T** pr*-p*t** *o** us** `.*orm*t()` wit* `{str**m}` w*i** *v*lu*t*s Pyt*on *xpr*ssions i* m*li*ious *orm*t sp**i*i*rs *r* pr*s*nt. T** *ommit ******* s*o

8.6

Basic Information

Concerned about an active attack path?

CVE-2020-15147: Remote Code Execution in Red Discord Bot

Impact

Patches

Workarounds

References

For more information

8.6

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI