Описание
JDA (Java Discord API) downloads external URLs when updating message components
Impact
Anyone using untrusted message components may be affected. On versions >=6.0.0,<6.1.3 of JDA, the requester will attempt to download external media URLs from components if they are used in an update or send request.
If you are used Message#getComponents or similar to get a list of components and then send those components with sendMessageComponents or other methods, you might unintentionally download media from an external URL in the resolved media of a Thumbnail, FileDisplay, or MediaGallery.
Patches
This bug has been fixed in 6.1.3, and we recommend updating.
Workarounds
Avoid sending components from untrusted messages or update to version 6.1.3.
Пакеты
net.dv8tion:JDA
>= 6.0.0, < 6.1.3
6.1.3
6.9 Medium
CVSS4
Дефекты
6.9 Medium
CVSS4