5.3

CVSS Score

3.1

-

CVSS Score

Basic Information

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2024-39905

CVE-2024-39905: Red-DiscordBot vulnerable to Incorrect Authorization in commands API

Impact

Due to a bug in Red's Core API, 3rd-party cogs using the @commands.can_manage_channel() command permission check without additional permission controls may authorize a user to run a command even when that user doesn't have permissions to manage a channel. None of the core commands or core cogs are affected. The maintainers of the project are not aware of any public 3rd-party cog utilizing this API at the time of writing this advisory.

The @commands.mod_or_can_manage_channel(), @commands.admin_or_can_manage_channel(), and @commands.guildowner_or_can_manage_channel() command permission checks are unaffected.

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:L/SA:N/AU:Y/R:U/RE:L

Patches

The problem was patched in PR #6398 and later released in version 3.5.10.

Workarounds

Any cog using the @commands.can_manage_channel() command permission check should be unloaded until an upgrade to a patched version can be performed.

References

https://github.com/Cog-Creators/Red-DiscordBot/pull/6398 https://github.com/Cog-Creators/Red-DiscordBot/releases/tag/3.5.10 https://pypi.org/project/Red-DiscordBot/3.5.10/

(GitHub Advisory)

Miggo Vulnerability Database

→

CVE-2024-39905

CVE-2024-39905:

5.3

CVSS Score

3.1

-

CVSS Score

Basic Information

Technical Details

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
Red-DiscordBot	pip	>= 3.5.0, < 3.5.10	3.5.10

Technical Details

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stemmed from incorrect parameter binding in the can_manage_channel decorator. Before the patch, the function called _can_manage_channel_deco(allow_thread_owner) without keyword arguments, misassigning the boolean 'allow_thread_owner' value to the 'privilege_level' parameter. This caused privilege checks to compare PrivilegeLevel enum values against boolean equivalents (0/1), which always evaluated as True for users with any privilege level. The fix enforced keyword arguments and proper parameter assignment.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.

Reasoning

*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.

5.3

-

Basic Information

Basic Information

Concerned about an active attack path?

CVE-2024-39905: Red-DiscordBot vulnerable to Incorrect Authorization in commands API

Impact

Patches

Workarounds

References

CVE-2024-39905:

5.3

-

Basic Information

Basic Information

Technical Details

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability IntelligenceMiggo AI

Basic Information

Basic Information

5.3

5.3

CVE-2024-39905: Red-DiscordBot vulnerable to Incorrect Authorization in commands API

Impact

Patches

Workarounds

References

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Technical Details

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI