Vulnerability Details : CVE-2023-30621
Gipsy is a multi-purpose discord bot which aim to be as modular and user-friendly as possible. In versions prior to 1.3 users can run command on the host machine with sudoer permission. The `!ping` command when provided with an IP or hostname used to run a bash `ping <IP>` without verification that the IP or hostname was legitimate. This command was executed with root permissions and may lead to arbitrary command injection on the host server. Users are advised to upgrade. There are no known workarounds for this vulnerability.
Products affected by CVE-2023-30621
- cpe:2.3:a:gipsy_project:gipsy:*:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2023-30621
0.20%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 58 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2023-30621
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
9.8
|
CRITICAL | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
3.9
|
5.9
|
NIST | |
9.8
|
CRITICAL | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
3.9
|
5.9
|
GitHub, Inc. |
CWE ids for CVE-2023-30621
-
The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.Assigned by: security-advisories@github.com (Primary)
References for CVE-2023-30621
-
https://github.com/Curiosity-org/Gipsy/security/advisories/GHSA-6cw6-r8pg-j7wh
Critical security breach · Advisory · Curiosity-org/Gipsy · GitHubPatch;Third Party Advisory
-
https://github.com/Gunivers/Gipsy/pull/24/commits/716818e967069f144aae66d51464b237c22b6cdf
Fixed error with twitter API token by Leirof · Pull Request #24 · Curiosity-org/Gipsy · GitHubPatch
-
https://github.com/Gunivers/Gipsy/pull/24
Fixed error with twitter API token by Leirof · Pull Request #24 · Curiosity-org/Gipsy · GitHubPatch
Jump to