Skip to content

Oceanic allows unsanitized user input to lead to path traversal in URLs

Moderate severity GitHub Reviewed Published May 14, 2024 in OceanicJS/Oceanic • Updated May 14, 2024

Package

npm oceanic.js (npm)

Affected versions

< 1.10.4

Patched versions

1.10.4

Description

Impact

Input to functions such as Client.rest.channels.removeBan is not url-encoded, resulting in specially crafted input such as ../../../channels/{id} being normalized into the url /api/v10/channels/{id}, and deleting a channel rather than removing a ban.

Workarounds

  • Sanitizing user input, ensuring strings are valid for the purpose they are being used for.
  • Encoding input with encodeURIComponent before providing it to the library.

References

OceanicJS/Oceanic@8bf8ee8

References

@DonovanDMC DonovanDMC published to OceanicJS/Oceanic May 14, 2024
Published by the National Vulnerability Database May 14, 2024
Published to the GitHub Advisory Database May 14, 2024
Reviewed May 14, 2024
Last updated May 14, 2024

Severity

Moderate
6.5
/ 10

CVSS base metrics

Attack vector
Network
Attack complexity
Low
Privileges required
None
User interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
Low
Availability
None
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

Weaknesses

CVE ID

CVE-2024-34712

GHSA ID

GHSA-5h5v-hw44-f6gg

Source code

Credits

Checking history
See something to contribute? Suggest improvements for this vulnerability.