Skip to content

Remote Code Execution in Red Discord Bot

High severity GitHub Reviewed Published Aug 20, 2020 in Cog-Creators/Red-DiscordBot • Updated Feb 1, 2023

Package

pip Red-DiscordBot (pip)

Affected versions

<= 3.3.11

Patched versions

3.3.12

Description

Impact

A RCE exploit has been discovered in the Streams module: this exploit allows Discord users with specifically crafted "going live" messages to inject code into the Streams module's going live message. By abusing this exploit, it's possible to perform destructive actions and/or access sensitive information.

Patches

This critical exploit has been fixed on version 3.3.12 & 3.4.

Workarounds

Unloading the Streams module with unload streams can render this exploit not accessible. We still highly recommend updating to 3.3.12 or 3.4 to completely patch this issue.

References

For more information

If you have any questions or comments about this advisory:

References

@Kowlin Kowlin published to Cog-Creators/Red-DiscordBot Aug 20, 2020
Reviewed Aug 21, 2020
Published to the GitHub Advisory Database Aug 21, 2020
Published by the National Vulnerability Database Aug 21, 2020
Last updated Feb 1, 2023

Severity

High
8.6
/ 10

CVSS base metrics

Attack vector
Network
Attack complexity
High
Privileges required
Low
User interaction
None
Scope
Changed
Confidentiality
High
Integrity
High
Availability
High
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H

Weaknesses

CVE ID

CVE-2020-15147

GHSA ID

GHSA-7257-96vg-qf6x

Source code

Credits

Checking history
See something to contribute? Suggest improvements for this vulnerability.