Exposure of Sensitive Information to an Unauthorized Actor in DisCatSharp
Moderate severity
GitHub Reviewed
Published
Apr 13, 2022
in
Aiko-IT-Systems/DisCatSharp
•
Updated Jan 27, 2023
Description
Published by the National Vulnerability Database
Apr 14, 2022
Published to the GitHub Advisory Database
Apr 22, 2022
Reviewed
Apr 22, 2022
Last updated
Jan 27, 2023
Impact
Users of versions 9.8.5, 9.8.6, 9.9.0 and previously published prereleases of 10.0.0 who have used either one of the two
RequireDisCatSharpDeveloperAttribute
s or theBaseDiscordClient.LibraryDeveloperTeam
have potentially had their bot token sent to a web server not affiliated with Discord. This server is owned and operated by DisCatSharp's development team. The tokens were not logged, yet it is still advisable to reset the tokens of potentially affected bots.Patches
9.9.1 has been released to patch the issue for the current stable release and the current 10.0.0 prereleases are also no longer affected.
Workarounds
Remove all uses of the two
RequireDisCatSharpDeveloperAttribute
s and all direct calls toBaseDiscordClient.LibraryDeveloperTeam
.Details
The
HttpClient
responsible for sending requests to the Discord API was erroneously reused to send requests to our website when DisCatSharp's team members were to be fetched.For more information
If you have any questions or comments about this advisory:
References