CVE-2021-32646— Escalation of permissions in roomer

Escalation of permissions in roomer

Roomer is a discord bot cog (extension) which provides automatic voice channel generation as well as private voice and text channels. A vulnerability has been discovered allowing discord users to get the ``manage channel`` permissions in a private VC they have joined. This allowed them to make changes to or delete the voice channel they have taken over. The exploit does not allow access or control to any other channels in the server. Upgrade to version 1.0.1 for a patched version of the cog. As a workaround you may disable private VCs in your guild(server) or unload the roomer cog to render the exploit unusable.

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

认证机制不恰当

Roomer 授权问题漏洞

Roomer是一个discord bot cog的扩展。它提供自动语音频道生成以及私人语音和文本频道。 Roomer 1.0.1之前版本中存在授权问题漏洞，该漏洞源于允许不和谐的用户获得管理渠道权限在一个私人VC他们已经加入，这使得他们可以改变或删除他们接管的语音频道。该漏洞不允许访问或控制服务器中的任何其他通道。可以禁用私人VCs在你的公会(服务器)或卸载roomer齿轮渲染。

N/A

N/A