Sign-up

ID

VAR-202003-1509


CVE

CVE-2020-5282


TITLE

Nick Chan Bot operating system command injection vulnerability

Trust: 1.2

sources: CNVD: CNVD-2020-24408 // CNNVD: CNNVD-202003-1604

DESCRIPTION

In Nick Chan Bot before version 1.0.0-beta there is a vulnerability in the `npm` command which is part of this software package. This allows arbitrary shell execution,which can compromise the bot This is patched in version 1.0.0-beta. (DoS) It may be put into a state. Nick Chan Bot is a private Discord robot written using the discord.js library. The vulnerability stems from the fact that external input data constructs executable commands for the operating system, and the network system or product does not properly filter special characters and commands. Attackers can use this vulnerability to execute illegal operating system commands

Trust: 2.16

sources: NVD: CVE-2020-5282 // JVNDB: JVNDB-2020-003499 // CNVD: CNVD-2020-24408

IOT TAXONOMY

category:['IoT']sub_category: -

Trust: 0.6

sources: CNVD: CNVD-2020-24408

AFFECTED PRODUCTS

vendor:nick chan botmodel:nick chan botscope:eqversion:1.0.0

Trust: 1.0

vendor:nick chan botmodel:nickchanbotscope:eqversion:1.0.0-beta

Trust: 0.8

vendor:nickmodel:chan bot nick chan bot <1.0.0-betascope: - version: -

Trust: 0.6

sources: CNVD: CNVD-2020-24408 // JVNDB: JVNDB-2020-003499 // NVD: CVE-2020-5282

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2020-5282
value: CRITICAL

Trust: 1.0

security-advisories@github.com: CVE-2020-5282
value: HIGH

Trust: 1.0

NVD: JVNDB-2020-003499
value: CRITICAL

Trust: 0.8

CNVD: CNVD-2020-24408
value: HIGH

Trust: 0.6

CNNVD: CNNVD-202003-1604
value: CRITICAL

Trust: 0.6

nvd@nist.gov: CVE-2020-5282
severity: HIGH
baseScore: 7.5
vectorString: AV:N/AC:L/AU:N/C:P/I:P/A:P
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: PARTIAL
exploitabilityScore: 10.0
impactScore: 6.4
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.0

NVD: JVNDB-2020-003499
severity: HIGH
baseScore: 7.5
vectorString: AV:N/AC:L/AU:N/C:P/I:P/A:P
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: PARTIAL
exploitabilityScore: NONE
impactScore: NONE
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.8

CNVD: CNVD-2020-24408
severity: HIGH
baseScore: 10.0
vectorString: AV:N/AC:L/AU:N/C:C/I:C/A:C
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: COMPLETE
integrityImpact: COMPLETE
availabilityImpact: COMPLETE
exploitabilityScore: 10.0
impactScore: 10.0
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.6

nvd@nist.gov: CVE-2020-5282
baseSeverity: CRITICAL
baseScore: 9.8
vectorString: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: 3.9
impactScore: 5.9
version: 3.1

Trust: 1.0

security-advisories@github.com: CVE-2020-5282
baseSeverity: HIGH
baseScore: 7.2
vectorString: CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:N
attackVector: LOCAL
attackComplexity: HIGH
privilegesRequired: LOW
userInteraction: REQUIRED
scope: CHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: NONE
exploitabilityScore: 0.8
impactScore: 5.8
version: 3.1

Trust: 1.0

NVD: JVNDB-2020-003499
baseSeverity: CRITICAL
baseScore: 9.8
vectorString: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: NONE
impactScore: NONE
version: 3.0

Trust: 0.8

sources: CNVD: CNVD-2020-24408 // JVNDB: JVNDB-2020-003499 // CNNVD: CNNVD-202003-1604 // NVD: CVE-2020-5282 // NVD: CVE-2020-5282

PROBLEMTYPE DATA

problemtype:CWE-78

Trust: 1.8

sources: JVNDB: JVNDB-2020-003499 // NVD: CVE-2020-5282

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-202003-1604

TYPE

operating system commend injection

Trust: 0.6

sources: CNNVD: CNNVD-202003-1604

CONFIGURATIONS

sources:
            
            
            JVNDB: JVNDB-2020-003499

PATCH
title:Merge pull request from GHSA-8xwp-r7pj-cgw3url:https://github.com/Assfugil/nickchanbot/commit/d7dc87523fc8bb6babbf8d636c339193b236a3ba
Trust: 0.8
title:arbitrary shell executionurl:https://github.com/Assfugil/nickchanbot/security/advisories/GHSA-8xwp-r7pj-cgw3
Trust: 0.8
sources:
            
            
            JVNDB: JVNDB-2020-003499

EXTERNAL IDS
db:NVDid:CVE-2020-5282
Trust: 3.0
db:JVNDBid:JVNDB-2020-003499
Trust: 0.8
db:CNVDid:CNVD-2020-24408
Trust: 0.6
db:CNNVDid:CNNVD-202003-1604
Trust: 0.6
sources:
            
            
            CNVD: CNVD-2020-24408 // 
            
            
            
            JVNDB: JVNDB-2020-003499 // 
            
            
            
            CNNVD: CNNVD-202003-1604 // 
            
            
            
            NVD: CVE-2020-5282

REFERENCES
url:https://github.com/assfugil/nickchanbot/security/advisories/ghsa-8xwp-r7pj-cgw3
Trust: 1.6
url:https://github.com/assfugil/nickchanbot/commit/d7dc87523fc8bb6babbf8d636c339193b236a3ba
Trust: 1.6
url:https://nvd.nist.gov/vuln/detail/cve-2020-5282
Trust: 1.4
url:https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2020-5282
Trust: 0.8
sources:
            
            
            JVNDB: JVNDB-2020-003499 // 
            
            
            
            CNNVD: CNNVD-202003-1604 // 
            
            
            
            NVD: CVE-2020-5282

SOURCES
db:CNVDid:CNVD-2020-24408
db:JVNDBid:JVNDB-2020-003499
db:CNNVDid:CNNVD-202003-1604
db:NVDid:CVE-2020-5282

LAST UPDATE DATE
2024-11-23T22:55:15.736000+00:00

SOURCES UPDATE DATE
db:CNVDid:CNVD-2020-24408date:2020-04-23T00:00:00
db:JVNDBid:JVNDB-2020-003499date:2020-04-17T00:00:00
db:CNNVDid:CNNVD-202003-1604date:2020-04-28T00:00:00
db:NVDid:CVE-2020-5282date:2024-11-21T05:33:49.770

SOURCES RELEASE DATE
db:CNVDid:CNVD-2020-24408date:2020-04-23T00:00:00
db:JVNDBid:JVNDB-2020-003499date:2020-04-17T00:00:00
db:CNNVDid:CNNVD-202003-1604date:2020-03-25T00:00:00
db:NVDid:CVE-2020-5282date:2020-03-25T19:15:15.980