CVE-2021-21431: Improper Input Validation in sopel-plugins.channelmgnt
(updated )
On some IRC servers, restrictions around the removal of the bot using the kick/kickban command could be bypassed when kicking multiple users at once. We also believe it may have been possible to remove users from other channels but due to the wonder that is IRC and following RfCs, We have no POC for that.
Freenode is not affected.
References
- github.com/MirahezeBots/sopel-channelmgnt
- github.com/MirahezeBots/sopel-channelmgnt/commit/643388365f28c5cc682254ab913c401f0e53260a
- github.com/MirahezeBots/sopel-channelmgnt/commit/7c96d400358221e59135f0a0be0744f3fad73856
- github.com/MirahezeBots/sopel-channelmgnt/security/advisories/GHSA-23c7-6444-399m
- github.com/advisories/GHSA-23c7-6444-399m
- github.com/pypa/advisory-database/tree/main/vulns/sopel-plugins-channelmgnt/PYSEC-2021-58.yaml
- nvd.nist.gov/vuln/detail/CVE-2021-21431
- pypi.org/project/sopel-plugins.channelmgnt
Detect and mitigate CVE-2021-21431 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →