Remote Code Execution in Red Discord Bot

Vulnerability

Overview

CVE-2020-15147 is a remote code execution (RCE) vulnerability found in the Streams module of Red Discord Bot, affecting versions before 3.3.12 and 3.4. The root cause is improper sanitization of user-supplied input within the 'going live' message handling. Discord users with the ability to send specially crafted 'going live' status messages can inject arbitrary code that the Streams module then executes [1][2].

Exploitation and

Attack Surface

Exploitation requires the attacker to be a Discord user who can trigger a 'going live' event visible to the bot. The vulnerability resides in the Streams module's message formatting logic; the bot processes the malicious input without adequate validation, allowing code injection. No additional authentication is needed beyond standard Discord access, and the attack can be performed remotely [1][4].

Impact

Successful exploitation grants the attacker the ability to execute arbitrary code in the context of the Red Discord Bot process. This could lead to destructive actions such as deleting servers or channels, exfiltrating sensitive information (e.g., tokens, configuration data), or further compromising the host system [1][2].

Mitigation and

Remediation

The vulnerability has been patched in Red Discord Bot versions 3.3.12 and 3.4. Users are strongly advised to update. A temporary workaround is to unload the Streams module using the unload streams command, which removes the vulnerable functionality until the update can be applied [1][3].