7.5

CVSS Score

3.1

Basic Information

CVE ID

CVE-2022-36024

GHSA ID

GHSA-qmhj-m29v-gvmr

EPSS Score

0.24258%

CWE

CWE-284

Published

8/18/2022

Updated

11/26/2024

KEV Status

Technology

Python

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2022-36024

CVE-2022-36024: Bots using py-cord as Discord API wrapper are vulnerable to shutdowns through remote code execution

Impact

py-cord is a an API wrapper for Discord written in Python. Bots using py-cord version 2.0.0 are vulnerable to remote shutdown if they are added to the server with the application.commands scope without the bot scope. Currently, it appears that all public bots that use slash commands are affected.

Patches

This issue has been patched in version 2.0.1.

Workarounds

There are currently no recommended workarounds - please upgrade to a patched version.

References

https://github.com/Pycord-Development/pycord/pull/1568

For more information

If you have any questions or comments about this advisory:

Open an issue in our GitHub
Email us at support@pycord.dev

(GitHub Advisory)

7.5

CVSS Score

3.1

Basic Information

CVE ID

CVE-2022-36024

GHSA ID

GHSA-qmhj-m29v-gvmr

EPSS Score

0.24258%

CWE

CWE-284

Published

8/18/2022

Updated

11/26/2024

KEV Status

Technology

Python

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
py-cord	pip	= 2.0.0	2.0.1

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from how interaction data was processed in applications without the 'bot' scope. The pull request #1568 shows critical changes to the Interaction._from_data method, specifically adding fallbacks for missing guild data and using Object() when guild information isn't properly scoped. This matches the CWE-284 (Improper Access Control) description, as the original implementation failed to properly validate/handle interaction context from unauthorized scopes, enabling remote shutdowns via malformed interactions.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

### Imp**t py-*or* is * *n *PI wr*pp*r *or *is*or* writt*n in Pyt*on. *ots usin* py-*or* v*rsion *.*.* *r* vuln*r**l* to r*mot* s*ut*own i* t**y *r* ***** to t** s*rv*r wit* t** `*ppli**tion.*omm*n*s` s*op* wit*out t** `*ot` s*op*. *urr*ntly, it *pp*

Reasoning

T** vuln*r**ility st*ms *rom *ow int*r**tion **t* w*s pro**ss** in *ppli**tions wit*out t** '*ot' s*op*. T** pull r*qu*st #**** s*ows *riti**l ***n**s to t** Int*r**tion._*rom_**t* m*t*o*, sp**i*i**lly ***in* **ll***ks *or missin* *uil* **t* *n* usin

7.5

Basic Information

Concerned about an active attack path?

CVE-2022-36024: Bots using py-cord as Discord API wrapper are vulnerable to shutdowns through remote code execution

Impact

Patches

Workarounds

References

For more information

7.5

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI