CVE-2024-35237 (GCVE-0-2024-35237)

Vulnerability from cvelistv5 – Published: 2024-05-27 17:07 – Updated: 2024-08-02 03:07
VLAI
Title
MIT IdentiBot User-Kerberos Mapping Publicly Available
Summary
MIT IdentiBot is an open-source Discord bot written in Node.js that verifies individuals' affiliations with MIT, grants them roles in a Discord server, and stores information about them in a database backend. A vulnerability that exists prior to commit 48e3e5e7ead6777fa75d57c7711c8e55b501c24e impacts all users who have performed verification with an instance of MIT IdentiBot that meets the following conditions: The instance of IdentiBot is tied to a "public" Discord application—i.e., users other than the API access registrant can add it to servers; *and* the instance has not yet been patched. In affected versions, IdentiBot does not check that a server is authorized before allowing members to execute slash and user commands in that server. As a result, any user can join IdentiBot to their server and then use commands (e.g., `/kerbid`) to reveal the full name and other information about a Discord user who has verified their affiliation with MIT using IdentiBot. The latest version of MIT IdentiBot contains a patch for this vulnerability (implemented in commit 48e3e5e7ead6777fa75d57c7711c8e55b501c24e). There is no way to prevent exploitation of the vulnerability without the patch. To prevent exploitation of the vulnerability, all vulnerable instances of IdentiBot should be taken offline until they have been updated.
Severity
7.5 (High)
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
SSVC
Exploitation: none Automatable: no Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
Assigner
References
Impacted products
Vendor Product Version
ZelnickB mit-identibot Affected: < 48e3e5e7ead6777fa75d57c7711c8e55b501c24e
Create a notification for this product.
zelnickb mit_identibot Affected: 0 , < 48e3e5e7ead6777fa75d57c7711c8e55b501c24e (custom)
    cpe:2.3:a:zelnickb:mit_identibot:mit_identibot:*:*:*:*:*:*:*
 Create a notification for this product.
Show details on NVD website
To clipboard 

{
  "containers": {
    "adp": [
      {
        "affected": [
          {
            "cpes": [
              "cpe:2.3:a:zelnickb:mit_identibot:mit_identibot:*:*:*:*:*:*:*"
            ],
            "defaultStatus": "unknown",
            "product": "mit_identibot",
            "vendor": "zelnickb",
            "versions": [
              {
                "lessThan": "48e3e5e7ead6777fa75d57c7711c8e55b501c24e\t",
                "status": "affected",
                "version": "0",
                "versionType": "custom"
              }
            ]
          }
        ],
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2024-35237",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-05-28T13:55:27.451991Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-06-05T19:03:47.354Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      },
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-02T03:07:46.921Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "name": "https://github.com/ZelnickB/mit-identibot/security/advisories/GHSA-h8r9-7r8x-78v6",
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://github.com/ZelnickB/mit-identibot/security/advisories/GHSA-h8r9-7r8x-78v6"
          },
          {
            "name": "https://github.com/ZelnickB/mit-identibot/commit/48e3e5e7ead6777fa75d57c7711c8e55b501c24e",
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://github.com/ZelnickB/mit-identibot/commit/48e3e5e7ead6777fa75d57c7711c8e55b501c24e"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "mit-identibot",
          "vendor": "ZelnickB",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 48e3e5e7ead6777fa75d57c7711c8e55b501c24e"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "MIT IdentiBot is an open-source Discord bot written in Node.js that verifies individuals\u0027 affiliations with MIT, grants them roles in a Discord server, and stores information about them in a database backend. A vulnerability that exists prior to commit 48e3e5e7ead6777fa75d57c7711c8e55b501c24e impacts all users who have performed verification with an instance of MIT IdentiBot that meets the following conditions: The instance of IdentiBot is tied to a \"public\" Discord application\u2014i.e., users other than the API access registrant can add it to servers; *and* the instance has not yet been patched. In affected versions, IdentiBot does not check that a server is authorized before allowing members to execute slash and user commands in that server. As a result, any user can join IdentiBot to their server and then use commands (e.g., `/kerbid`) to reveal the full name and other information about a Discord user who has verified their affiliation with MIT using IdentiBot. The latest version of MIT IdentiBot contains a patch for this vulnerability (implemented in commit 48e3e5e7ead6777fa75d57c7711c8e55b501c24e). There is no way to prevent exploitation of the vulnerability without the patch. To prevent exploitation of the vulnerability, all vulnerable instances of IdentiBot should be taken offline until they have been updated."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-862",
              "description": "CWE-862: Missing Authorization",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2024-05-27T17:07:09.361Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/ZelnickB/mit-identibot/security/advisories/GHSA-h8r9-7r8x-78v6",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/ZelnickB/mit-identibot/security/advisories/GHSA-h8r9-7r8x-78v6"
        },
        {
          "name": "https://github.com/ZelnickB/mit-identibot/commit/48e3e5e7ead6777fa75d57c7711c8e55b501c24e",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/ZelnickB/mit-identibot/commit/48e3e5e7ead6777fa75d57c7711c8e55b501c24e"
        }
      ],
      "source": {
        "advisory": "GHSA-h8r9-7r8x-78v6",
        "discovery": "UNKNOWN"
      },
      "title": "MIT IdentiBot User-Kerberos Mapping Publicly Available"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2024-35237",
    "datePublished": "2024-05-27T17:07:09.361Z",
    "dateReserved": "2024-05-14T15:39:41.786Z",
    "dateUpdated": "2024-08-02T03:07:46.921Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "epss": {
      "cve": "CVE-2024-35237",
      "date": "2026-06-07",
      "epss": "0.00126",
      "percentile": "0.31439"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2024-35237\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2024-05-27T17:15:10.230\",\"lastModified\":\"2024-11-21T09:19:59.777\",\"vulnStatus\":\"Awaiting Analysis\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"MIT IdentiBot is an open-source Discord bot written in Node.js that verifies individuals\u0027 affiliations with MIT, grants them roles in a Discord server, and stores information about them in a database backend. A vulnerability that exists prior to commit 48e3e5e7ead6777fa75d57c7711c8e55b501c24e impacts all users who have performed verification with an instance of MIT IdentiBot that meets the following conditions: The instance of IdentiBot is tied to a \\\"public\\\" Discord application\u2014i.e., users other than the API access registrant can add it to servers; *and* the instance has not yet been patched. In affected versions, IdentiBot does not check that a server is authorized before allowing members to execute slash and user commands in that server. As a result, any user can join IdentiBot to their server and then use commands (e.g., `/kerbid`) to reveal the full name and other information about a Discord user who has verified their affiliation with MIT using IdentiBot. The latest version of MIT IdentiBot contains a patch for this vulnerability (implemented in commit 48e3e5e7ead6777fa75d57c7711c8e55b501c24e). There is no way to prevent exploitation of the vulnerability without the patch. To prevent exploitation of the vulnerability, all vulnerable instances of IdentiBot should be taken offline until they have been updated.\"},{\"lang\":\"es\",\"value\":\"MIT IdentiBot es un bot de Discord de c\u00f3digo abierto escrito en Node.js que verifica las afiliaciones de las personas con el MIT, les otorga roles en un servidor de Discord y almacena informaci\u00f3n sobre ellos en una base de datos. Una vulnerabilidad que existe antes del commit 48e3e5e7ead6777fa75d57c7711c8e55b501c24e afecta a todos los usuarios que han realizado la verificaci\u00f3n con una instancia de MIT IdentiBot que cumple las siguientes condiciones: La instancia de IdentiBot est\u00e1 vinculada a una aplicaci\u00f3n Discord \\\"p\u00fablica\\\", es decir, usuarios distintos del registrante de acceso a la API. puede agregarlo a los servidores; *y* la instancia a\u00fan no ha sido parcheada. En las versiones afectadas, IdentiBot no verifica que un servidor est\u00e9 autorizado antes de permitir a los miembros ejecutar comandos de usuario y barra diagonal en ese servidor. Como resultado, cualquier usuario puede unirse a IdentiBot en su servidor y luego usar comandos (por ejemplo, `/kerbid`) para revelar el nombre completo y otra informaci\u00f3n sobre un usuario de Discord que haya verificado su afiliaci\u00f3n con el MIT usando IdentiBot. La \u00faltima versi\u00f3n de MIT IdentiBot contiene un parche para esta vulnerabilidad (implementado en el commit 48e3e5e7ead6777fa75d57c7711c8e55b501c24e). No hay forma de evitar la explotaci\u00f3n de la vulnerabilidad sin el parche. Para evitar la explotaci\u00f3n de la vulnerabilidad, todas las instancias vulnerables de IdentiBot deben desconectarse hasta que se hayan actualizado.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N\",\"baseScore\":7.5,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":3.9,\"impactScore\":3.6}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-862\"}]}],\"references\":[{\"url\":\"https://github.com/ZelnickB/mit-identibot/commit/48e3e5e7ead6777fa75d57c7711c8e55b501c24e\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://github.com/ZelnickB/mit-identibot/security/advisories/GHSA-h8r9-7r8x-78v6\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://github.com/ZelnickB/mit-identibot/commit/48e3e5e7ead6777fa75d57c7711c8e55b501c24e\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://github.com/ZelnickB/mit-identibot/security/advisories/GHSA-h8r9-7r8x-78v6\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"}]}}",
    "vulnrichment": {
      "containers": "{\"cna\": {\"title\": \"MIT IdentiBot User-Kerberos Mapping Publicly Available\", \"problemTypes\": [{\"descriptions\": [{\"cweId\": \"CWE-862\", \"lang\": \"en\", \"description\": \"CWE-862: Missing Authorization\", \"type\": \"CWE\"}]}], \"metrics\": [{\"cvssV3_1\": {\"attackComplexity\": \"LOW\", \"attackVector\": \"NETWORK\", \"availabilityImpact\": \"NONE\", \"baseScore\": 7.5, \"baseSeverity\": \"HIGH\", \"confidentialityImpact\": \"HIGH\", \"integrityImpact\": \"NONE\", \"privilegesRequired\": \"NONE\", \"scope\": \"UNCHANGED\", \"userInteraction\": \"NONE\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N\", \"version\": \"3.1\"}}], \"references\": [{\"name\": \"https://github.com/ZelnickB/mit-identibot/security/advisories/GHSA-h8r9-7r8x-78v6\", \"tags\": [\"x_refsource_CONFIRM\"], \"url\": \"https://github.com/ZelnickB/mit-identibot/security/advisories/GHSA-h8r9-7r8x-78v6\"}, {\"name\": \"https://github.com/ZelnickB/mit-identibot/commit/48e3e5e7ead6777fa75d57c7711c8e55b501c24e\", \"tags\": [\"x_refsource_MISC\"], \"url\": \"https://github.com/ZelnickB/mit-identibot/commit/48e3e5e7ead6777fa75d57c7711c8e55b501c24e\"}], \"affected\": [{\"vendor\": \"ZelnickB\", \"product\": \"mit-identibot\", \"versions\": [{\"version\": \"\u003c 48e3e5e7ead6777fa75d57c7711c8e55b501c24e\", \"status\": \"affected\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2024-05-27T17:07:09.361Z\"}, \"descriptions\": [{\"lang\": \"en\", \"value\": \"MIT IdentiBot is an open-source Discord bot written in Node.js that verifies individuals\u0027 affiliations with MIT, grants them roles in a Discord server, and stores information about them in a database backend. A vulnerability that exists prior to commit 48e3e5e7ead6777fa75d57c7711c8e55b501c24e impacts all users who have performed verification with an instance of MIT IdentiBot that meets the following conditions: The instance of IdentiBot is tied to a \\\"public\\\" Discord application\\u2014i.e., users other than the API access registrant can add it to servers; *and* the instance has not yet been patched. In affected versions, IdentiBot does not check that a server is authorized before allowing members to execute slash and user commands in that server. As a result, any user can join IdentiBot to their server and then use commands (e.g., `/kerbid`) to reveal the full name and other information about a Discord user who has verified their affiliation with MIT using IdentiBot. The latest version of MIT IdentiBot contains a patch for this vulnerability (implemented in commit 48e3e5e7ead6777fa75d57c7711c8e55b501c24e). There is no way to prevent exploitation of the vulnerability without the patch. To prevent exploitation of the vulnerability, all vulnerable instances of IdentiBot should be taken offline until they have been updated.\"}], \"source\": {\"advisory\": \"GHSA-h8r9-7r8x-78v6\", \"discovery\": \"UNKNOWN\"}}, \"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2024-35237\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2024-05-28T13:55:27.451991Z\"}}}], \"affected\": [{\"cpes\": [\"cpe:2.3:a:zelnickb:mit_identibot:mit_identibot:*:*:*:*:*:*:*\"], \"vendor\": \"zelnickb\", \"product\": \"mit_identibot\", \"versions\": [{\"status\": \"affected\", \"version\": \"0\", \"lessThan\": \"48e3e5e7ead6777fa75d57c7711c8e55b501c24e\\t\", \"versionType\": \"custom\"}], \"defaultStatus\": \"unknown\"}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2024-05-28T13:58:44.932Z\"}}]}",
      "cveMetadata": "{\"cveId\": \"CVE-2024-35237\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"state\": \"PUBLISHED\", \"assignerShortName\": \"GitHub_M\", \"dateReserved\": \"2024-05-14T15:39:41.786Z\", \"datePublished\": \"2024-05-27T17:07:09.361Z\", \"dateUpdated\": \"2024-06-05T19:03:47.354Z\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.





Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.


Detection rules are retrieved from Rulezet.