{"id":"GHSA-59j8-776v-xxxg","summary":"NoneBot Potential Information Leak in User-Constructed Message Templates","details":"### Impact\nThis security advisory pertains to a potential information leak (e.g., environment variables) in instances where developers utilize `MessageTemplate` and incorporate user-provided data into templates.\n\n### Patches\nThe identified vulnerability has been remedied in fix #2509 and will be included in versions released after 2.1.3. Users are strongly advised to upgrade to these patched versions to safeguard against the vulnerability.\n\n### Workarounds\nA temporary workaround involves filtering underscores before incorporating user input into the message template.\n\n### References\n- [Pull Request #2509](https://github.com/nonebot/nonebot2/pull/2509)\n- [CWE-1336](https://cwe.mitre.org/data/definitions/1336.html)","aliases":["CVE-2024-21624","PYSEC-2024-37"],"modified":"2024-02-16T22:46:51.754988Z","published":"2024-02-09T15:04:08Z","related":["CVE-2024-21624"],"database_specific":{"severity":"MODERATE","nvd_published_at":"2024-02-09T23:15:08Z","cwe_ids":["CWE-1336","CWE-200"],"github_reviewed":true,"github_reviewed_at":"2024-02-09T15:04:08Z"},"references":[{"type":"WEB","url":"https://github.com/nonebot/nonebot2/security/advisories/GHSA-59j8-776v-xxxg"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-21624"},{"type":"WEB","url":"https://github.com/nonebot/nonebot2/pull/2509"},{"type":"WEB","url":"https://github.com/nonebot/nonebot2/commit/b65b3b438c95894654fd9081139989c757bdc6c1"},{"type":"PACKAGE","url":"https://github.com/nonebot/nonebot2"},{"type":"WEB","url":"https://github.com/pypa/advisory-database/tree/main/vulns/nonebot2/PYSEC-2024-37.yaml"}],"affected":[{"package":{"name":"nonebot2","ecosystem":"PyPI","purl":"pkg:pypi/nonebot2"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"2.0.0a16"},{"fixed":"2.2.0"}]}],"versions":["2.0.0","2.0.0a16","2.0.0b1","2.0.0b2","2.0.0b3","2.0.0b4","2.0.0b5","2.0.0rc1","2.0.0rc2","2.0.0rc3","2.0.0rc4","2.0.1","2.1.0","2.1.1","2.1.2","2.1.3"],"database_specific":{"source":"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/02/GHSA-59j8-776v-xxxg/GHSA-59j8-776v-xxxg.json","last_known_affected_version_range":"\u003c= 2.1.3"}}],"schema_version":"1.7.3","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N"}]}