CVE-2022-36024 - Vulnerability Details - OpenCVE

py-cord is a an API wrapper for Discord written in Python. Bots creating using py-cord version 2.0.0 are vulnerable to remote shutdown if they are added to the server with the `application.commands` scope without the `bot` scope. Currently, it appears that all public bots that use slash commands are affected. This issue has been patched in version 2.0.1. There are currently no recommended workarounds - please upgrade to a patched version.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Exploitation none

Automatable yes

Technical Impact partial

Vendors	Products
Pycord Development	Pycord

Configuration 1 [-]

cpe:2.3:a:pycord_development:pycord:2.0.0:*:*:*:*:discord:*:*

No data.

References

Link	Providers
https://github.com/Pycord-Development/pycord/pull/1568
https://github.com/Pycord-Development/pycord/security/advisories/GHSA-qmhj-m29v-gvmr

History

Wed, 23 Apr 2025 18:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2022-08-18T14:45:17.000Z

Updated: 2025-04-23T17:49:06.683Z

Reserved: 2022-07-15T00:00:00.000Z

Link: CVE-2022-36024

Vulnrichment

Updated: 2024-08-03T09:51:59.928Z

NVD

Status : Modified

Published: 2022-08-18T15:15:26.243

Modified: 2024-11-21T07:12:12.530

Link: CVE-2022-36024

Redhat

No data.

{"containers": {"cna": {"affected": [{"product": "pycord", "vendor": "Pycord-Development", "versions": [{"status": "affected", "version": "= 2.0.0"}]}], "descriptions": [{"lang": "en", "value": "py-cord is a an API wrapper for Discord written in Python. Bots creating using py-cord version 2.0.0 are vulnerable to remote shutdown if they are added to the server with the `application.commands` scope without the `bot` scope. Currently, it appears that all public bots that use slash commands are affected. This issue has been patched in version 2.0.1. There are currently no recommended workarounds - please upgrade to a patched version."}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-862", "description": "CWE-862: Missing Authorization", "lang": "en", "type": "CWE"}]}, {"descriptions": [{"cweId": "CWE-284", "description": "CWE-284: Improper Access Control", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2022-08-19T19:45:13.000Z", "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M"}, "references": [{"tags": ["x_refsource_CONFIRM"], "url": "https://github.com/Pycord-Development/pycord/security/advisories/GHSA-qmhj-m29v-gvmr"}, {"tags": ["x_refsource_MISC"], "url": "https://github.com/Pycord-Development/pycord/pull/1568"}], "source": {"advisory": "GHSA-qmhj-m29v-gvmr", "discovery": "UNKNOWN"}, "title": "Bots using py-cord as discord api wrapper are vulnerable to shutdowns through remote code execution", "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "security-advisories@github.com", "ID": "CVE-2022-36024", "STATE": "PUBLIC", "TITLE": "Bots using py-cord as discord api wrapper are vulnerable to shutdowns through remote code execution"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "pycord", "version": {"version_data": [{"version_value": "= 2.0.0"}]}}]}, "vendor_name": "Pycord-Development"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "py-cord is a an API wrapper for Discord written in Python. Bots creating using py-cord version 2.0.0 are vulnerable to remote shutdown if they are added to the server with the `application.commands` scope without the `bot` scope. Currently, it appears that all public bots that use slash commands are affected. This issue has been patched in version 2.0.1. There are currently no recommended workarounds - please upgrade to a patched version."}]}, "impact": {"cvss": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-862: Missing Authorization"}]}, {"description": [{"lang": "eng", "value": "CWE-284: Improper Access Control"}]}]}, "references": {"reference_data": [{"name": "https://github.com/Pycord-Development/pycord/security/advisories/GHSA-qmhj-m29v-gvmr", "refsource": "CONFIRM", "url": "https://github.com/Pycord-Development/pycord/security/advisories/GHSA-qmhj-m29v-gvmr"}, {"name": "https://github.com/Pycord-Development/pycord/pull/1568", "refsource": "MISC", "url": "https://github.com/Pycord-Development/pycord/pull/1568"}]}, "source": {"advisory": "GHSA-qmhj-m29v-gvmr", "discovery": "UNKNOWN"}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T09:51:59.928Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://github.com/Pycord-Development/pycord/security/advisories/GHSA-qmhj-m29v-gvmr"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/Pycord-Development/pycord/pull/1568"}]}, {"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-04-23T15:52:15.958967Z", "id": "CVE-2022-36024", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-04-23T17:49:06.683Z"}}]}, "cveMetadata": {"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "assignerShortName": "GitHub_M", "cveId": "CVE-2022-36024", "datePublished": "2022-08-18T14:45:17.000Z", "dateReserved": "2022-07-15T00:00:00.000Z", "dateUpdated": "2025-04-23T17:49:06.683Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://github.com/Pycord-Development/pycord/security/advisories/GHSA-qmhj-m29v-gvmr", "tags": ["x_refsource_CONFIRM", "x_transferred"]}, {"url": "https://github.com/Pycord-Development/pycord/pull/1568", "tags": ["x_refsource_MISC", "x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T09:51:59.928Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2022-36024", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-04-23T15:52:15.958967Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-04-23T15:52:17.909Z"}}], "cna": {"title": "Bots using py-cord as discord api wrapper are vulnerable to shutdowns through remote code execution", "source": {"advisory": "GHSA-qmhj-m29v-gvmr", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}}], "affected": [{"vendor": "Pycord-Development", "product": "pycord", "versions": [{"status": "affected", "version": "= 2.0.0"}]}], "references": [{"url": "https://github.com/Pycord-Development/pycord/security/advisories/GHSA-qmhj-m29v-gvmr", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/Pycord-Development/pycord/pull/1568", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "py-cord is a an API wrapper for Discord written in Python. Bots creating using py-cord version 2.0.0 are vulnerable to remote shutdown if they are added to the server with the `application.commands` scope without the `bot` scope. Currently, it appears that all public bots that use slash commands are affected. This issue has been patched in version 2.0.1. There are currently no recommended workarounds - please upgrade to a patched version."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-862", "description": "CWE-862: Missing Authorization"}]}, {"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-284", "description": "CWE-284: Improper Access Control"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2022-08-19T19:45:13.000Z"}, "x_legacyV4Record": {"impact": {"cvss": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}}, "source": {"advisory": "GHSA-qmhj-m29v-gvmr", "discovery": "UNKNOWN"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"version": {"version_data": [{"version_value": "= 2.0.0"}]}, "product_name": "pycord"}]}, "vendor_name": "Pycord-Development"}]}}, "data_type": "CVE", "references": {"reference_data": [{"url": "https://github.com/Pycord-Development/pycord/security/advisories/GHSA-qmhj-m29v-gvmr", "name": "https://github.com/Pycord-Development/pycord/security/advisories/GHSA-qmhj-m29v-gvmr", "refsource": "CONFIRM"}, {"url": "https://github.com/Pycord-Development/pycord/pull/1568", "name": "https://github.com/Pycord-Development/pycord/pull/1568", "refsource": "MISC"}]}, "data_format": "MITRE", "description": {"description_data": [{"lang": "eng", "value": "py-cord is a an API wrapper for Discord written in Python. Bots creating using py-cord version 2.0.0 are vulnerable to remote shutdown if they are added to the server with the `application.commands` scope without the `bot` scope. Currently, it appears that all public bots that use slash commands are affected. This issue has been patched in version 2.0.1. There are currently no recommended workarounds - please upgrade to a patched version."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-862: Missing Authorization"}]}, {"description": [{"lang": "eng", "value": "CWE-284: Improper Access Control"}]}]}, "data_version": "4.0", "CVE_data_meta": {"ID": "CVE-2022-36024", "STATE": "PUBLIC", "TITLE": "Bots using py-cord as discord api wrapper are vulnerable to shutdowns through remote code execution", "ASSIGNER": "security-advisories@github.com"}}}}, "cveMetadata": {"cveId": "CVE-2022-36024", "state": "PUBLISHED", "dateUpdated": "2025-04-23T17:49:06.683Z", "dateReserved": "2022-07-15T00:00:00.000Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2022-08-18T14:45:17.000Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:pycord_development:pycord:2.0.0:*:*:*:*:discord:*:*", "matchCriteriaId": "4904F234-DCCA-442C-952C-2581C552314F", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "py-cord is a an API wrapper for Discord written in Python. Bots creating using py-cord version 2.0.0 are vulnerable to remote shutdown if they are added to the server with the `application.commands` scope without the `bot` scope. Currently, it appears that all public bots that use slash commands are affected. This issue has been patched in version 2.0.1. There are currently no recommended workarounds - please upgrade to a patched version."}, {"lang": "es", "value": "py-cord es una envoltura de API escrita en Python. Los bots que se crean utilizando la versi\u00f3n 2.0.0 de py-cord son vulnerables al cierre remoto si se a\u00f1aden al servidor con el \u00e1mbito `application.commands` sin el \u00e1mbito `bot`. Actualmente, parece que todos los bots p\u00fablicos que usan comandos de barra est\u00e1n afectados. Este problema ha sido corregido en la versi\u00f3n 2.0.1. Actualmente no hay soluciones recomendadas - por favor, actualice a una versi\u00f3n parcheada."}], "id": "CVE-2022-36024", "lastModified": "2024-11-21T07:12:12.530", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "security-advisories@github.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2022-08-18T15:15:26.243", "references": [{"source": "security-advisories@github.com", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/Pycord-Development/pycord/pull/1568"}, {"source": "security-advisories@github.com", "tags": ["Third Party Advisory"], "url": "https://github.com/Pycord-Development/pycord/security/advisories/GHSA-qmhj-m29v-gvmr"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/Pycord-Development/pycord/pull/1568"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "https://github.com/Pycord-Development/pycord/security/advisories/GHSA-qmhj-m29v-gvmr"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-284"}, {"lang": "en", "value": "CWE-862"}], "source": "security-advisories@github.com", "type": "Secondary"}, {"description": [{"lang": "en", "value": "CWE-862"}], "source": "nvd@nist.gov", "type": "Secondary"}]}