CVE-2022-21669
9.1
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
Summary
PuddingBot is a group management bot. In version 0.0.6-b933652 and prior, the bot token is publicly exposed in main.py, making it accessible to malicious actors. The bot token has been revoked and new version is already running on the server. As of time of publication, the maintainers are planning to update code to reflect this change at a later date.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| PuddingBot | pudding-bot | <= 0.0.6-b933652 | affected |
Weaknesses
- CWE-798: CWE-798: Use of Hard-coded Credentials
ADP Enrichment
CVE Program Container
Additional References
- https://github.com/PuddingBot/pudding-bot/security/advisories/GHSA-cxgr-xpmj-9qjm
- https://github.com/PuddingBot/pudding-bot/commit/a5b15fb0a5be5fdbacba8ff7b2c8759d5e3ba20f
CISA ADP Vulnrichment
- SSVC:
- Exploitation: none
- Automatable: yes
- Technical Impact: total
References
- https://github.com/PuddingBot/pudding-bot/security/advisories/GHSA-cxgr-xpmj-9qjm
- https://github.com/PuddingBot/pudding-bot/commit/a5b15fb0a5be5fdbacba8ff7b2c8759d5e3ba20f
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.