SCA: security update for sopel-plugins.channelmgnt (GHSA-23c7-6444-399m)

high Tenable Self-Hosted Container Security Plugin ID 408626

Description

There are packages installed that are affected by a vulnerability referenced in the following CVE:

- sopel-channelmgnt is a channelmgnt plugin for sopel. In versions prior to 2.0.1, on some IRC servers,
restrictions around the removal of the bot using the kick/kickban command could be bypassed when kicking
multiple users at once. We also believe it may have been possible to remove users from other channels but
due to the wonder that is IRC and following RfCs, We have no POC for that. Freenode is not affected. This
is fixed in version 2.0.1. As a workaround, do not use this plugin on networks where TARGMAX > 1.
(CVE-2021-21431)

See Also

https://github.com/advisories/GHSA-23c7-6444-399m

Plugin Details

Severity: High

ID: 408626

Version: Revision 1.5

Type: Local

Family: SCA Checks

Published: 1/23/2025

Updated: 7/2/2026

Supported Sensors: Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: Medium

Score: 4.8

Percentile: 56.9

Vendor

Vendor Severity: High

CVSS v2

Risk Factor: Medium

Base Score: 5.5

Temporal Score: 4.1

Vector: CVSS2#AV:N/AC:L/Au:S/C:N/I:P/A:P

CVSS Score Source: CVE-2021-21431

CVSS v3

Risk Factor: High

Base Score: 8.1

Temporal Score: 7.1

Vector: CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:C/C:N/I:H/A:H

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

Vulnerability Information

Exploit Ease: No known exploits are available

Patch Publication Date: 4/9/2021

Vulnerability Publication Date: 4/9/2021

Reference Information

CVE: CVE-2021-21431