{"id":"PYSEC-2022-235","details":"WebInterface in OctoBot before 0.4.4 allows remote code execution because Tentacles upload is mishandled.","aliases":["CVE-2021-36711","GHSA-fr75-x856-q6j8"],"modified":"2023-11-01T04:55:47.345332Z","published":"2022-07-16T17:15:00Z","references":[{"type":"WEB","url":"https://packetstormsecurity.com/files/167721/Sashimi-Evil-OctoBot-Tentacle.html"},{"type":"WEB","url":"https://github.com/Nwqda/Sashimi-Evil-OctoBot-Tentacle"},{"type":"WEB","url":"https://github.com/Drakkar-Software/OctoBot/blob/master/CHANGELOG.md"},{"type":"REPORT","url":"https://github.com/Drakkar-Software/OctoBot/issues/1966"},{"type":"WEB","url":"https://www.octobot.online/"},{"type":"ADVISORY","url":"https://github.com/advisories/GHSA-fr75-x856-q6j8"}],"affected":[{"package":{"name":"octobot","ecosystem":"PyPI","purl":"pkg:pypi/octobot"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"0.4.4"}]}],"versions":["0.2.4b1","0.2.4b2","0.3.1","0.3.2b0","0.3.3","0.3.4","0.3.5","0.3.6","0.3.7","0.3.8","0.3.9","0.4.0a11","0.4.0a12","0.4.0a13","0.4.0a14","0.4.0a15","0.4.0a16","0.4.0a17","0.4.0a18","0.4.0a19","0.4.0a2","0.4.0a20","0.4.0a21","0.4.0a22","0.4.0a23","0.4.0a24","0.4.0a25","0.4.0a26","0.4.0a3","0.4.0a4","0.4.0a5","0.4.0a6","0.4.0a7","0.4.0a8","0.4.0a9","0.4.0b1","0.4.0b10","0.4.0b11","0.4.0b12","0.4.0b13","0.4.0b14","0.4.0b15","0.4.0b16","0.4.0b17","0.4.0b2","0.4.0b3","0.4.0b4","0.4.0b5","0.4.0b6","0.4.0b7","0.4.0b8","0.4.0b9","0.4.1","0.4.2","0.4.3"],"database_specific":{"source":"https://github.com/pypa/advisory-database/blob/main/vulns/octobot/PYSEC-2022-235.yaml"}}],"schema_version":"1.7.3"}