CVE-2021-21431

Improper Input Validation in sopel-plugins.channelmgnt

Description

sopel-channelmgnt is a channelmgnt plugin for sopel. In versions prior to 2.0.1, on some IRC servers, restrictions around the removal of the bot using the kick/kickban command could be bypassed when kicking multiple users at once. We also believe it may have been possible to remove users from other channels but due to the wonder that is IRC and following RfCs, We have no POC for that. Freenode is not affected. This is fixed in version 2.0.1. As a workaround, do not use this plugin on networks where TARGMAX > 1.

Category

7.6
CVSS
Severity: High
CVSS 3.1 •
CVSS 2.0 •
EPSS 0.10%
Third-Party Advisory github.com Third-Party Advisory github.com Third-Party Advisory pypi.org
Affected: MirahezeBots sopel-channelmgnt
Published at:
Updated at:

References

Link Tags
https://pypi.org/project/sopel-plugins.channelmgnt/ third party advisory product
https://github.com/MirahezeBots/sopel-channelmgnt/security/advisories/GHSA-23c7-6444-399m third party advisory
https://github.com/MirahezeBots/sopel-channelmgnt/commit/7c96d400358221e59135f0a0be0744f3fad73856 third party advisory patch

Frequently Asked Questions

What is the severity of CVE-2021-21431?
CVE-2021-21431 has been scored as a high severity vulnerability.
How to fix CVE-2021-21431?
To fix CVE-2021-21431, make sure you are using an up-to-date version of the affected component(s) by checking the vendor release notes. As for now, there are no other specific guidelines available.
Is CVE-2021-21431 being actively exploited in the wild?
As for now, there are no information to confirm that CVE-2021-21431 is being actively exploited. According to its EPSS score, there is a ~0% probability that this vulnerability will be exploited by malicious actors in the next 30 days.
What software or system is affected by CVE-2021-21431?
CVE-2021-21431 affects MirahezeBots sopel-channelmgnt.
This platform uses data from the NIST NVD, MITRE CVE, MITRE CWE, First.org and CISA KEV but is not endorsed or certified by these entities. CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site.
© 2025 Under My Watch. All Rights Reserved.