Lucene search

[email protected]NVD:CVE-2021-29466

HistoryApr 22, 2021 - 1:15 a.m.

CVE-2021-29466

2021-04-2201:15:07

CWE-24

CWE-22

[email protected]

web.nvd.nist.gov

discord-recon

remote attacker

local files

server

vulnerability

patch

version 0.0.4

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:N/AC:L/Au:N/C:P/I:N/A:N

CVSS3

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

EPSS

0.004

Percentile

74.7%

JSON

Discord-Recon is a bot for the Discord chat service. In versions of Discord-Recon 0.0.3 and prior, a remote attacker is able to read local files from the server that can disclose important information. As a workaround, a bot maintainer can locate the file app.py and add .replace('..', '') into the Path variable inside of the recon function. The vulnerability is patched in version 0.0.4.

Affected configurations

Nvd

Node

discorddiscord-reconRange<0.0.4

VendorProductVersionCPE
discorddiscord-recon*cpe:2.3:a:discord:discord-recon:*:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
discord	discord-recon	*	cpe:2.3:a:discord:discord-recon::::::::

References

github.com/DEMON1A/Discord-Recon/security/advisories/GHSA-p2pw-8xwf-879g

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:N/AC:L/Au:N/C:P/I:N/A:N

CVSS3

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

EPSS

0.004

Percentile

74.7%

JSON

Related for NVD:CVE-2021-29466

cvelist1 osv1 prion1 cve1