Miggo Logo

CVE-2024-21624: NoneBot Potential Information Leak in User-Constructed Message Templates

5.7

CVSS Score
3.1

Basic Information

EPSS Score
0.49426%
Published
2/9/2024
Updated
2/16/2024
KEV Status
No
Technology
TechnologyPython

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
nonebot2pip>= 2.0.0a16, <= 2.1.32.2.0

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from the template engine's attribute resolution mechanism. The original implementation in get_field didn't validate access to private attributes (those starting with underscore). The fix introduced a 'private_getattr' flag and explicit checks for attribute names starting with '_', preventing access to internal attributes unless explicitly allowed. The commit diff shows this security check was added to the get_field method, and test cases demonstrate exploitation attempts through attributes like init and builtins.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

### Imp**t T*is s**urity **visory p*rt*ins to * pot*nti*l in*orm*tion l**k (*.*., *nvironm*nt v*ri**l*s) in inst*n**s w**r* **v*lop*rs utiliz* `M*ss***T*mpl*t*` *n* in*orpor*t* us*r-provi*** **t* into t*mpl*t*s. ### P*t***s T** i**nti*i** vuln*r**il

Reasoning

T** vuln*r**ility st*ms *rom t** t*mpl*t* *n*in*'s *ttri*ut* r*solution m****nism. T** ori*in*l impl*m*nt*tion in **t_*i*l* *i*n't v*li**t* ****ss to priv*t* *ttri*ut*s (t*os* st*rtin* wit* un**rs*or*). T** *ix intro*u*** * 'priv*t*_**t*ttr' *l** *n*