CVE-2024-34712

  1. OpenCVE
  2. Vulnerabilities (CVE)
  3. CVE-2024-34712
Oceanic is a NodeJS library for interfacing with Discord. Prior to version 1.10.4, input to functions such as `Client.rest.channels.removeBan` is not url-encoded, resulting in specially crafted input such as `../../../channels/{id}` being normalized into the url `/api/v10/channels/{id}`, and deleting a channel rather than removing a ban. Version 1.10.4 fixes this issue. Some workarounds are available. One may sanitize user input, ensuring strings are valid for the purpose they are being used for. One may also encode input with `encodeURIComponent` before providing it to the library.

6.5 /10

CVSS v3 : MEDIUM

V3 Legend

Vector :

Exploitability : 2.8 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact HIGH

Availability Impact NONE

Scope UNCHANGED

References
Link Resource
https://github.com/OceanicJS/Oceanic/commit/8bf8ee8373b8c565fbdbf70a609aba4fbc1a1ffe
https://github.com/OceanicJS/Oceanic/security/advisories/GHSA-5h5v-hw44-f6gg
https://github.com/OceanicJS/Oceanic/commit/8bf8ee8373b8c565fbdbf70a609aba4fbc1a1ffe
https://github.com/OceanicJS/Oceanic/security/advisories/GHSA-5h5v-hw44-f6gg
Configurations

No configuration.

History

21 Nov 2024, 09:19

Type Values Removed Values Added
References () https://github.com/OceanicJS/Oceanic/commit/8bf8ee8373b8c565fbdbf70a609aba4fbc1a1ffe - () https://github.com/OceanicJS/Oceanic/commit/8bf8ee8373b8c565fbdbf70a609aba4fbc1a1ffe -
References () https://github.com/OceanicJS/Oceanic/security/advisories/GHSA-5h5v-hw44-f6gg - () https://github.com/OceanicJS/Oceanic/security/advisories/GHSA-5h5v-hw44-f6gg -
Summary
  • (es) Oceanic es una librería NodeJS para interactuar con Discord. Antes de la versión 1.10.4, la entrada a funciones como `Client.rest.channels.removeBan` no está codificada en URL, lo que generaba entradas especialmente manipuladas como `../../../channels/{id}` normalizarse en la URL `/api/v10/channels/{id}` y eliminar un canal en lugar de eliminar una prohibición. La versión 1.10.4 soluciona este problema. Algunas soluciones están disponibles. Se pueden desinfectar las entradas del usuario, asegurándose de que las cadenas sean válidas para el propósito para el que se utilizan. También se puede codificar la entrada con `encodeURIComponent` antes de proporcionarla a la librería.

14 May 2024, 16:17

Type Values Removed Values Added
New CVE
Information

Published : 2024-05-14 16:17

Updated : 2024-11-21 09:19

NVD link : CVE-2024-34712

Mitre link : CVE-2024-34712

CVE.ORG link : CVE-2024-34712

JSON object : View

Products Affected

No product.

CWE
CWE-22

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

CWE-23

Relative Path Traversal


NetmanageIT Website NetmanageIT OSINT Web NetmanageIT OpenCTI NetmanageIT PDF Tools NetmanageIT CTO Corner Blog NetmanageIT Email Header Analyzer NetmanageIT Password Pusher NetmanageIT Internet Health and Latency Dashboard NetmanageIT Dedicated Speed Test Site NetmanageIT Ubuntu Mirror 10Gbps Copyright OpenCVE 2024