CVE-2020-15251: Missing Authorization
(updated )
In the Channelmgnt plug-in for Sopel before version 1.0.3, malicious users are able to op/voice and take over a channel. This is an ACL bypass vulnerability. This plugin is bundled with MirahezeBot-Plugins with versions from 9.0.0 and less than 9.0.2 affected. Version 9.0.2 includes 1.0.3 of channelmgnt, and thus is safe from this vulnerability. See referenced GHSA-23pc-4339-95vg.
References
- github.com/MirahezeBots/MirahezeBots/security/advisories/GHSA-23pc-4339-95vg
- github.com/MirahezeBots/sopel-channelmgnt/pull/3
- github.com/MirahezeBots/sopel-channelmgnt/security/advisories/GHSA-j257-jfvv-h3x5
- github.com/advisories/GHSA-j257-jfvv-h3x5
- nvd.nist.gov/vuln/detail/CVE-2020-15251
- phab.bots.miraheze.wiki/T117
- phab.bots.miraheze.wiki/phame/live/1/post/1/summary/
- pypi.org/project/sopel-plugins.channelmgnt/
Code Behaviors & Features
Detect and mitigate CVE-2020-15251 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →