CVE-2021-21431

Name of the Vulnerable Software and Affected Versions sopel-channelmgnt versions prior to 2.0.1

Description The issue concerns the sopel-channelmgnt plugin for sopel, where restrictions around the removal of the bot using the kick/kickban command could be bypassed on some IRC servers when kicking multiple users at once. It is also believed that it may have been possible to remove users from other channels, but due to the complexity of IRC and following RfCs, there is no proof of concept for this. Freenode is not affected.

Recommendations As a temporary workaround, do not use this plugin on networks where TARGMAX > 1. Upgrade to version 2.0.1 or higher to fix the issue.