Skip to content
This repository has been archived by the owner on Aug 2, 2022. It is now read-only.

Contact to a server not affiliated with Discord using authenticated client

Low
oliverbooth published GHSA-f49p-74jh-jhpq Apr 14, 2022

Package

BrackeysBot.API (GitHub Packages)

Affected versions

< 4.0.0-prerelease.16

Patched versions

4.0.0-prerelease.16

Description

Impact

Consumers of version 4.0.0-prerelease.16 and previously published prereleases have potentially had their bot token sent to a web server not affiliated with Discord due to the BrackeysBot.API package historically referencing a compromised version of DisCatSharp.

This does not impact any of the publicly available versions of this package on NuGet.org - the nightly versions published to nuget.org exclusively reference DSharpPlus, not DisCatSharp.

This impacts only those who have cloned the repository from a point prior to commit 34e777dc3af83c70cab9b2e86ceb43011b79b24a and connected to Discord using an older version.

Patches

BrackeysBot.API migrated to DSharpPlus as of commit 34e777dc3af83c70cab9b2e86ceb43011b79b24a (4.0.0-prerelease.16)

Workarounds

No workaround. The only fix is to upgrade BrackeysBot.API to a newer version.
If you are using any of the publicly available versions on nuget.org, no action is required.

References

GHSA-frxg-hf44-q765

For more information

If you have any questions or comments about this advisory:

Severity

Low

CVE ID

No known CVE

Weaknesses