Product Research Enterprise Plans Docs

PyPi: Oobabot

CVE-2023-37276

Transitive

Safety vulnerability ID: 60886

This vulnerability was reviewed by experts

The information on this page was manually curated by our Cybersecurity Intelligence Team.

Created at Jul 19, 2023 Updated at Nov 24, 2023

Scan your Python projects for vulnerabilities →

Advisory

Oobabot 0.2.3 updates its dependency 'aiohttp' to v3.8.5 to include a security fix.

Affected package

oobabot

Latest version: 0.2.3

A Discord bot which talks to Large Language Model AIs running on oobabooga's text-generation-webui

Affected versions

Fixed versions

Vulnerability changelog

Release v.0.2.3

Note: version 0.2.2 only updated oobabot-plugin, not oobabot. This
shows changes to oobabot since the prior release, [v0.2.1](RELEASE-0.2.1.md).

What's Changed

Mainly a bugfix update for 0.2.1, with a few fixes and configuration
parameters.

New Features

* Option to disable unsolicited replies entirely

Unsolicited replies are still enabled by default, but you can now disable them entirely by changing this setting in your config.yml:

yaml
If set, the bot will not reply to any messages that do not -mention it or include a
wakeword. If unsolicited replies are disabled, the unsolicited_channel_cap setting will
have no effect.
default: False
disable_unsolicited_replies: true

The objective of this change is to support cases where
unsolicited replies are not desired, such as when the bot is used in a
channel with a high volume of messages.

Bug Fixes / Tech Improvements

* Unicode logging reliability fix ooba_client.py

Unicode bugs in oobabooga seem to be a moving target, so
this fix gates the fix applied in 0.2.1 to only be applied
in cases where oobabooga is known to be broken.

* Security fix: Bump aiohttp from 3.8.4 to 3.8.5

Update dependency aiohttp to v3.8.5. This fixes [a security
issue in aiohttp](https://github.com/aio-libs/aiohttp/blob/v3.8.5/CHANGES.rst). On a quick scan it doesn't seem to be something
a user could exploit within oobabot, but better to update anyway.

* Preserve newlines when prompting the bot

In some cases the whitespace in user messages is important. One case is
described in the [issue 76, reported by xydreen](https://github.com/aio-libs/aiohttp/security/advisories/GHSA-45c4-8wx5-qw6w).

When sending a prompt to the bot, we will now preserve any newlines
that the bot itself had generated in the past.

We will still strip newlines from messages from user-generated messages,
as otherwise they would have the ability to imitate our prompt format.
This would let users so inclined to fool the bot into thinking a
message was sent by another user, or even itself.

Full Changelog

[All changes from 0.2.1 to 0.2.3](https://github.com/chrisrude/oobabot/compare/v0.2.1...v0.2.3)

Resources

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-37276

Use this package?

Scan your Python project for dependency vulnerabilities in two minutes

Scan your application

Severity Details

CVSS Base Score

HIGH 7.5

CVSS v3 Details

HIGH 7.5

Attack Vector (AV): NETWORK
Attack Complexity (AC): LOW
Privileges Required (PR): NONE
User Interaction (UI): NONE
Scope (S): UNCHANGED
Confidentiality Impact (C): NONE
Integrity Impact (I): HIGH
Availability Availability (A): NONE