You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Due to a bug in Red's Core API, 3rd-party cogs using the @commands.can_manage_channel() command permission check without additional permission controls may authorize a user to run a command even when that user doesn't have permissions to manage a channel.
None of the core commands or core cogs are affected. The maintainers of the project are not aware of any public 3rd-party cog utilizing this API at the time of writing this advisory.
Impact
Due to a bug in Red's Core API, 3rd-party cogs using the
@commands.can_manage_channel()
command permission check without additional permission controls may authorize a user to run a command even when that user doesn't have permissions to manage a channel.None of the core commands or core cogs are affected. The maintainers of the project are not aware of any public 3rd-party cog utilizing this API at the time of writing this advisory.
The
@commands.mod_or_can_manage_channel()
,@commands.admin_or_can_manage_channel()
, and@commands.guildowner_or_can_manage_channel()
command permission checks are unaffected.CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:L/SA:N/AU:Y/R:U/RE:L
Patches
The problem was patched in PR #6398 and later released in version 3.5.10.
Workarounds
Any cog using the
@commands.can_manage_channel()
command permission check should be unloaded until an upgrade to a patched version can be performed.References
#6398
https://github.com/Cog-Creators/Red-DiscordBot/releases/tag/3.5.10
https://pypi.org/project/Red-DiscordBot/3.5.10/