Description
Nanobot prior to version 0.2.1 contains a server-side request forgery vulnerability in the Microsoft Teams channel handler that allows remote attackers to exfiltrate Bot Framework bearer tokens by supplying a forged activity with an attacker-controlled serviceUrl value. Attackers can poison the stored conversation reference by sending a crafted inbound activity to the Teams webhook, causing subsequent bot replies to transmit token-bearing Authorization header requests to an attacker-controlled host.
CVSS breakdown
CVSS 4.0
Attack Vector
Network
Attack Complexity
Low
Attack Requirements
Present
Privileges Required
None
User Interaction
None
Confidentiality (Vulnerable System)
None
Integrity (Vulnerable System)
Low
Availability (Vulnerable System)
None
Confidentiality (Subsequent System)
High
Integrity (Subsequent System)
High
Availability (Subsequent System)
None
Affected products
- HKUDS / nanobot0 – 0.2.1
References
- PATCHhttps://github.com/HKUDS/nanobot/releases/tag/v0.2.1
- PATCHhttps://github.com/HKUDS/nanobot/pull/4047
- PATCHhttps://github.com/HKUDS/nanobot/commit/232df45126bcf0f8fccd123d73714f202c8e8612
- VENDOR_ADVISORYhttps://www.vulncheck.com/advisories/nanobot-ssrf-via-microsoft-teams-channel-serviceurl-poisoning