5.7

CVSS Score

3.1

Basic Information

CVE ID

CVE-2024-21624

GHSA ID

GHSA-59j8-776v-xxxg

EPSS Score

0.49426%

CWE

CWE-200

Published

2/9/2024

Updated

2/16/2024

KEV Status

Technology

Python

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2024-21624

CVE-2024-21624: NoneBot Potential Information Leak in User-Constructed Message Templates

Impact

This security advisory pertains to a potential information leak (e.g., environment variables) in instances where developers utilize MessageTemplate and incorporate user-provided data into templates.

Patches

The identified vulnerability has been remedied in fix #2509 and will be included in versions released after 2.1.3. Users are strongly advised to upgrade to these patched versions to safeguard against the vulnerability.

Workarounds

A temporary workaround involves filtering underscores before incorporating user input into the message template.

References

(GitHub Advisory)

5.7

CVSS Score

3.1

Basic Information

CVE ID

CVE-2024-21624

GHSA ID

GHSA-59j8-776v-xxxg

EPSS Score

0.49426%

CWE

CWE-200

Published

2/9/2024

Updated

2/16/2024

KEV Status

Technology

Python

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
nonebot2	pip	>= 2.0.0a16, <= 2.1.3	2.2.0

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from the template engine's attribute resolution mechanism. The original implementation in get_field didn't validate access to private attributes (those starting with underscore). The fix introduced a 'private_getattr' flag and explicit checks for attribute names starting with '_', preventing access to internal attributes unless explicitly allowed. The commit diff shows this security check was added to the get_field method, and test cases demonstrate exploitation attempts through attributes like init and builtins.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

### Imp**t T*is s**urity **visory p*rt*ins to * pot*nti*l in*orm*tion l**k (*.*., *nvironm*nt v*ri**l*s) in inst*n**s w**r* **v*lop*rs utiliz* `M*ss***T*mpl*t*` *n* in*orpor*t* us*r-provi*** **t* into t*mpl*t*s. ### P*t***s T** i**nti*i** vuln*r**il

Reasoning

T** vuln*r**ility st*ms *rom t** t*mpl*t* *n*in*'s *ttri*ut* r*solution m****nism. T** ori*in*l impl*m*nt*tion in **t_*i*l* *i*n't v*li**t* ****ss to priv*t* *ttri*ut*s (t*os* st*rtin* wit* un**rs*or*). T** *ix intro*u*** * 'priv*t*_**t*ttr' *l** *n*

5.7

Basic Information

Concerned about an active attack path?

CVE-2024-21624: NoneBot Potential Information Leak in User-Constructed Message Templates

Impact

Patches

Workarounds

References

5.7

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI