{"id":"CVE-2024-39905","summary":"Red-DiscordBot vulnerable to Incorrect Authorization in commands API","details":"Red is a fully modular Discord bot. Due to a bug in Red's Core API, 3rd-party cogs using the `@commands.can_manage_channel()` command permission check without additional permission controls may authorize a user to run a command even when that user doesn't have permissions to manage a channel. None of the core commands or core cogs are affected. The maintainers of the project are not aware of any _public_ 3rd-party cog utilizing this API at the time of writing this advisory. The problem was patched and released in version 3.5.10.","aliases":["GHSA-5jq8-q6rj-9gq4"],"modified":"2026-05-01T04:25:33.923336Z","published":"2024-07-11T15:43:34.437Z","database_specific":{"cwe_ids":["CWE-863"],"cna_assigner":"GitHub_M","osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2024/39xxx/CVE-2024-39905.json"},"references":[{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2024/39xxx/CVE-2024-39905.json"},{"type":"ADVISORY","url":"https://github.com/Cog-Creators/Red-DiscordBot/security/advisories/GHSA-5jq8-q6rj-9gq4"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-39905"},{"type":"FIX","url":"https://github.com/Cog-Creators/Red-DiscordBot/commit/0b0b23b9717b40ed4f8715720b199417c8e89750"},{"type":"FIX","url":"https://github.com/Cog-Creators/Red-DiscordBot/pull/6398"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/cog-creators/red-discordbot","events":[{"introduced":"0"},{"fixed":"0b0b23b9717b40ed4f8715720b199417c8e89750"}]},{"type":"GIT","repo":"https://github.com/cog-creators/red-discordbot","events":[{"introduced":"0"},{"fixed":"0b0b23b9717b40ed4f8715720b199417c8e89750"}]}],"versions":["3.0.0b10","3.0.0b11","3.0.0b12","3.0.0b13","3.0.0b14","3.0.0b15","3.0.0b16","3.0.0b17","3.0.0b17.post1","3.0.0b18","3.0.0b19","3.0.0b20","3.0.0b21","3.0.0b8","3.0.0b8-1","3.0.0b9","3.1.0","3.1.1","3.1.2","3.1.3","3.1.4","3.2.0","3.2.1","3.2.2","3.2.3","3.3.0","3.3.1","3.3.10","3.3.2","3.3.3","3.3.4","3.3.5","3.3.6","3.3.7","3.3.8","3.3.9","3.4.0","3.4.1","3.4.10","3.4.12","3.4.2","3.4.3","3.4.4","3.4.5","3.4.6","3.4.7","3.4.8","3.4.9","3.5.0","3.5.1","3.5.2","3.5.3","3.5.4","3.5.5","3.5.6","3.5.7","3.5.8","3.5.9"],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2024-39905.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N"}]}