CVE-2024-34712

Oceanic allows unsanitized user input to lead to path traversal in URLs

CVSS 6.5 MEDIUMEPSS 0.6%CWE-22 CWE-23

Vexday Risk Score

13Low

SSVC decision (CISA)

Track

No exploitation signal → monitor

CVSS 6.5EPSS 0.6%KEV nãoPoC —Nuclei —Metasploit —Patch —

Lifecycle

14 May 2024Published on NVD

Recommendation: Monitor — no exploitation signal at the moment.

Oceanic is a NodeJS library for interfacing with Discord. Prior to version 1.10.4, input to functions such as `Client.rest.channels.removeBan` is not url-encoded, resulting in specially crafted input such as `../../../channels/{id}` being normalized into the url `/api/v10/channels/{id}`, and deleting a channel rather than removing a ban. Version 1.10.4 fixes this issue. Some workarounds are available. One may sanitize user input, ensuring strings are valid for the purpose they are being used for. One may also encode input with `encodeURIComponent` before providing it to the library.

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N

Affected products

OceanicJS · Oceanic

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

https://github.com/OceanicJS/Oceanic/commit/8bf8ee8373b8c565fbdbf70a609aba4fbc1a1ffe https://github.com/OceanicJS/Oceanic/security/advisories/GHSA-5h5v-hw44-f6gg