Skip to content

Improper Input Validation in kenny2automate

Moderate
Kenny2github published GHSA-73j8-xrcr-q6j7 Jan 2, 2023

Package

kenny2automate (Discord bot)

Affected versions

< a947d7c

Patched versions

a947d7c

Description

Impact

  • In the web interface for server settings, form elements were generated with Discord channel IDs as part of input names.
  • Prior to commit a947d7c, no validation was performed to ensure that the channel IDs submitted actually belonged to the server being configured. Thus anyone who has access to a) the channel ID they wish to change settings for and b) the server settings panel for any server could change settings for the requested channel no matter which server it belonged to.
  • Impact: A fix has already been deployed. Thus this only affects people who have forked the repository and are running their own instance of the bot.

Patches

Commit a947d7c resolves the issue and has been deployed to the official instance of the bot.

Workarounds

The only workaround that exists is to disable the web config entirely by changing it to run on localhost.

Note that a workaround is only necessary for those who run their own instance of the bot.

References

  • The commit that fixes the issue: a947d7c

Severity

Moderate
6.5
/ 10

CVSS base metrics

Attack vector
Network
Attack complexity
Low
Privileges required
Low
User interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
High
Availability
None
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N

CVE ID

CVE-2023-22452

Weaknesses

Credits