Search criteria
2 vulnerabilities found for mit-identibot by ZelnickB
CVE-2024-35237 (GCVE-0-2024-35237)
Vulnerability from nvd – Published: 2024-05-27 17:07 – Updated: 2024-08-02 03:07
VLAI
Title
MIT IdentiBot User-Kerberos Mapping Publicly Available
Summary
MIT IdentiBot is an open-source Discord bot written in Node.js that verifies individuals' affiliations with MIT, grants them roles in a Discord server, and stores information about them in a database backend. A vulnerability that exists prior to commit 48e3e5e7ead6777fa75d57c7711c8e55b501c24e impacts all users who have performed verification with an instance of MIT IdentiBot that meets the following conditions: The instance of IdentiBot is tied to a "public" Discord application—i.e., users other than the API access registrant can add it to servers; *and* the instance has not yet been patched. In affected versions, IdentiBot does not check that a server is authorized before allowing members to execute slash and user commands in that server. As a result, any user can join IdentiBot to their server and then use commands (e.g., `/kerbid`) to reveal the full name and other information about a Discord user who has verified their affiliation with MIT using IdentiBot. The latest version of MIT IdentiBot contains a patch for this vulnerability (implemented in commit 48e3e5e7ead6777fa75d57c7711c8e55b501c24e). There is no way to prevent exploitation of the vulnerability without the patch. To prevent exploitation of the vulnerability, all vulnerable instances of IdentiBot should be taken offline until they have been updated.
Severity
7.5 (High)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-862 - Missing Authorization
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://github.com/ZelnickB/mit-identibot/securit… | x_refsource_CONFIRM |
| https://github.com/ZelnickB/mit-identibot/commit/… | x_refsource_MISC |
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| ZelnickB | mit-identibot |
Affected:
< 48e3e5e7ead6777fa75d57c7711c8e55b501c24e
|
|
| zelnickb | mit_identibot |
Affected:
0 , < 48e3e5e7ead6777fa75d57c7711c8e55b501c24e
(custom)
cpe:2.3:a:zelnickb:mit_identibot:mit_identibot:*:*:*:*:*:*:* |
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:zelnickb:mit_identibot:mit_identibot:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "mit_identibot",
"vendor": "zelnickb",
"versions": [
{
"lessThan": "48e3e5e7ead6777fa75d57c7711c8e55b501c24e\t",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-35237",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-05-28T13:55:27.451991Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-06-05T19:03:47.354Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T03:07:46.921Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/ZelnickB/mit-identibot/security/advisories/GHSA-h8r9-7r8x-78v6",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/ZelnickB/mit-identibot/security/advisories/GHSA-h8r9-7r8x-78v6"
},
{
"name": "https://github.com/ZelnickB/mit-identibot/commit/48e3e5e7ead6777fa75d57c7711c8e55b501c24e",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/ZelnickB/mit-identibot/commit/48e3e5e7ead6777fa75d57c7711c8e55b501c24e"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "mit-identibot",
"vendor": "ZelnickB",
"versions": [
{
"status": "affected",
"version": "\u003c 48e3e5e7ead6777fa75d57c7711c8e55b501c24e"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "MIT IdentiBot is an open-source Discord bot written in Node.js that verifies individuals\u0027 affiliations with MIT, grants them roles in a Discord server, and stores information about them in a database backend. A vulnerability that exists prior to commit 48e3e5e7ead6777fa75d57c7711c8e55b501c24e impacts all users who have performed verification with an instance of MIT IdentiBot that meets the following conditions: The instance of IdentiBot is tied to a \"public\" Discord application\u2014i.e., users other than the API access registrant can add it to servers; *and* the instance has not yet been patched. In affected versions, IdentiBot does not check that a server is authorized before allowing members to execute slash and user commands in that server. As a result, any user can join IdentiBot to their server and then use commands (e.g., `/kerbid`) to reveal the full name and other information about a Discord user who has verified their affiliation with MIT using IdentiBot. The latest version of MIT IdentiBot contains a patch for this vulnerability (implemented in commit 48e3e5e7ead6777fa75d57c7711c8e55b501c24e). There is no way to prevent exploitation of the vulnerability without the patch. To prevent exploitation of the vulnerability, all vulnerable instances of IdentiBot should be taken offline until they have been updated."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "CWE-862: Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-05-27T17:07:09.361Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/ZelnickB/mit-identibot/security/advisories/GHSA-h8r9-7r8x-78v6",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/ZelnickB/mit-identibot/security/advisories/GHSA-h8r9-7r8x-78v6"
},
{
"name": "https://github.com/ZelnickB/mit-identibot/commit/48e3e5e7ead6777fa75d57c7711c8e55b501c24e",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/ZelnickB/mit-identibot/commit/48e3e5e7ead6777fa75d57c7711c8e55b501c24e"
}
],
"source": {
"advisory": "GHSA-h8r9-7r8x-78v6",
"discovery": "UNKNOWN"
},
"title": "MIT IdentiBot User-Kerberos Mapping Publicly Available"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-35237",
"datePublished": "2024-05-27T17:07:09.361Z",
"dateReserved": "2024-05-14T15:39:41.786Z",
"dateUpdated": "2024-08-02T03:07:46.921Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-35237 (GCVE-0-2024-35237)
Vulnerability from cvelistv5 – Published: 2024-05-27 17:07 – Updated: 2024-08-02 03:07
VLAI
Title
MIT IdentiBot User-Kerberos Mapping Publicly Available
Summary
MIT IdentiBot is an open-source Discord bot written in Node.js that verifies individuals' affiliations with MIT, grants them roles in a Discord server, and stores information about them in a database backend. A vulnerability that exists prior to commit 48e3e5e7ead6777fa75d57c7711c8e55b501c24e impacts all users who have performed verification with an instance of MIT IdentiBot that meets the following conditions: The instance of IdentiBot is tied to a "public" Discord application—i.e., users other than the API access registrant can add it to servers; *and* the instance has not yet been patched. In affected versions, IdentiBot does not check that a server is authorized before allowing members to execute slash and user commands in that server. As a result, any user can join IdentiBot to their server and then use commands (e.g., `/kerbid`) to reveal the full name and other information about a Discord user who has verified their affiliation with MIT using IdentiBot. The latest version of MIT IdentiBot contains a patch for this vulnerability (implemented in commit 48e3e5e7ead6777fa75d57c7711c8e55b501c24e). There is no way to prevent exploitation of the vulnerability without the patch. To prevent exploitation of the vulnerability, all vulnerable instances of IdentiBot should be taken offline until they have been updated.
Severity
7.5 (High)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-862 - Missing Authorization
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://github.com/ZelnickB/mit-identibot/securit… | x_refsource_CONFIRM |
| https://github.com/ZelnickB/mit-identibot/commit/… | x_refsource_MISC |
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| ZelnickB | mit-identibot |
Affected:
< 48e3e5e7ead6777fa75d57c7711c8e55b501c24e
|
|
| zelnickb | mit_identibot |
Affected:
0 , < 48e3e5e7ead6777fa75d57c7711c8e55b501c24e
(custom)
cpe:2.3:a:zelnickb:mit_identibot:mit_identibot:*:*:*:*:*:*:* |
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:zelnickb:mit_identibot:mit_identibot:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "mit_identibot",
"vendor": "zelnickb",
"versions": [
{
"lessThan": "48e3e5e7ead6777fa75d57c7711c8e55b501c24e\t",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-35237",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-05-28T13:55:27.451991Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-06-05T19:03:47.354Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T03:07:46.921Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/ZelnickB/mit-identibot/security/advisories/GHSA-h8r9-7r8x-78v6",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/ZelnickB/mit-identibot/security/advisories/GHSA-h8r9-7r8x-78v6"
},
{
"name": "https://github.com/ZelnickB/mit-identibot/commit/48e3e5e7ead6777fa75d57c7711c8e55b501c24e",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/ZelnickB/mit-identibot/commit/48e3e5e7ead6777fa75d57c7711c8e55b501c24e"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "mit-identibot",
"vendor": "ZelnickB",
"versions": [
{
"status": "affected",
"version": "\u003c 48e3e5e7ead6777fa75d57c7711c8e55b501c24e"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "MIT IdentiBot is an open-source Discord bot written in Node.js that verifies individuals\u0027 affiliations with MIT, grants them roles in a Discord server, and stores information about them in a database backend. A vulnerability that exists prior to commit 48e3e5e7ead6777fa75d57c7711c8e55b501c24e impacts all users who have performed verification with an instance of MIT IdentiBot that meets the following conditions: The instance of IdentiBot is tied to a \"public\" Discord application\u2014i.e., users other than the API access registrant can add it to servers; *and* the instance has not yet been patched. In affected versions, IdentiBot does not check that a server is authorized before allowing members to execute slash and user commands in that server. As a result, any user can join IdentiBot to their server and then use commands (e.g., `/kerbid`) to reveal the full name and other information about a Discord user who has verified their affiliation with MIT using IdentiBot. The latest version of MIT IdentiBot contains a patch for this vulnerability (implemented in commit 48e3e5e7ead6777fa75d57c7711c8e55b501c24e). There is no way to prevent exploitation of the vulnerability without the patch. To prevent exploitation of the vulnerability, all vulnerable instances of IdentiBot should be taken offline until they have been updated."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "CWE-862: Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-05-27T17:07:09.361Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/ZelnickB/mit-identibot/security/advisories/GHSA-h8r9-7r8x-78v6",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/ZelnickB/mit-identibot/security/advisories/GHSA-h8r9-7r8x-78v6"
},
{
"name": "https://github.com/ZelnickB/mit-identibot/commit/48e3e5e7ead6777fa75d57c7711c8e55b501c24e",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/ZelnickB/mit-identibot/commit/48e3e5e7ead6777fa75d57c7711c8e55b501c24e"
}
],
"source": {
"advisory": "GHSA-h8r9-7r8x-78v6",
"discovery": "UNKNOWN"
},
"title": "MIT IdentiBot User-Kerberos Mapping Publicly Available"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-35237",
"datePublished": "2024-05-27T17:07:09.361Z",
"dateReserved": "2024-05-14T15:39:41.786Z",
"dateUpdated": "2024-08-02T03:07:46.921Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}