CVE-2024-31450 - OpenCVE

Vendors	Products
Owncast Project	Owncast

Link	Providers
https://github.com/owncast/owncast/blob/v0.1.2/controllers/admin/emoji.go#L63
https://github.com/owncast/owncast/commit/1b14800c7d7f54be14ed4d130bfe7f480645076e
https://github.com/owncast/owncast/releases/tag/v0.1.3
https://securitylab.github.com/advisories/GHSL-2023-277_Owncast/

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-31450", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2024-04-03T17:55:32.646Z", "datePublished": "2024-04-19T18:59:19.526Z", "dateUpdated": "2024-08-02T01:52:56.997Z"}, "containers": {"cna": {"title": "Owncast vulnerable to arbitrary file deletion in emoji.go (GHSL-2023-277)", "problemTypes": [{"descriptions": [{"cweId": "CWE-22", "lang": "en", "description": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 2.7, "baseSeverity": "LOW", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:L", "version": "3.1"}}], "references": [{"name": "https://securitylab.github.com/advisories/GHSL-2023-277_Owncast/", "tags": ["x_refsource_CONFIRM"], "url": "https://securitylab.github.com/advisories/GHSL-2023-277_Owncast/"}, {"name": "https://github.com/owncast/owncast/commit/1b14800c7d7f54be14ed4d130bfe7f480645076e", "tags": ["x_refsource_MISC"], "url": "https://github.com/owncast/owncast/commit/1b14800c7d7f54be14ed4d130bfe7f480645076e"}, {"name": "https://github.com/owncast/owncast/blob/v0.1.2/controllers/admin/emoji.go#L63", "tags": ["x_refsource_MISC"], "url": "https://github.com/owncast/owncast/blob/v0.1.2/controllers/admin/emoji.go#L63"}, {"name": "https://github.com/owncast/owncast/releases/tag/v0.1.3", "tags": ["x_refsource_MISC"], "url": "https://github.com/owncast/owncast/releases/tag/v0.1.3"}], "affected": [{"vendor": "owncast", "product": "owncast", "versions": [{"version": "< 0.1.3", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2024-04-19T18:59:19.526Z"}, "descriptions": [{"lang": "en", "value": "Owncast is an open source, self-hosted, decentralized, single user live video streaming and chat server. The Owncast application exposes an administrator API at the URL /api/admin. The emoji/delete endpoint of said API allows administrators to delete custom emojis, which are saved on disk. The parameter name is taken from the JSON request and directly appended to the filepath that points to the emoji to delete. By using path traversal sequences (../), attackers with administrative privileges can exploit this endpoint to delete arbitrary files on the system, outside of the emoji directory. This vulnerability is fixed in 0.1.3."}], "source": {"advisory": "GHSA-9355-27m8-h74v", "discovery": "UNKNOWN"}}, "adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-31450", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-04-19T23:33:53.360262Z"}}}], "affected": [{"cpes": ["cpe:2.3:a:owncast_project:owncast:*:*:*:*:*:*:*:*"], "vendor": "owncast_project", "product": "owncast", "versions": [{"status": "affected", "version": "*0.1.3"}], "defaultStatus": "unknown"}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-06-04T17:36:33.796Z"}}, {"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T01:52:56.997Z"}, "title": "CVE Program Container", "references": [{"name": "https://securitylab.github.com/advisories/GHSL-2023-277_Owncast/", "tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://securitylab.github.com/advisories/GHSL-2023-277_Owncast/"}, {"name": "https://github.com/owncast/owncast/commit/1b14800c7d7f54be14ed4d130bfe7f480645076e", "tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/owncast/owncast/commit/1b14800c7d7f54be14ed4d130bfe7f480645076e"}, {"name": "https://github.com/owncast/owncast/blob/v0.1.2/controllers/admin/emoji.go#L63", "tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/owncast/owncast/blob/v0.1.2/controllers/admin/emoji.go#L63"}, {"name": "https://github.com/owncast/owncast/releases/tag/v0.1.3", "tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/owncast/owncast/releases/tag/v0.1.3"}]}]}}

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-31450", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2024-04-03T17:55:32.646Z", "datePublished": "2024-04-19T18:59:19.526Z", "dateUpdated": "2024-06-04T17:36:33.796Z"}, "containers": {"cna": {"title": "Owncast vulnerable to arbitrary file deletion in emoji.go (GHSL-2023-277)", "problemTypes": [{"descriptions": [{"cweId": "CWE-22", "lang": "en", "description": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 2.7, "baseSeverity": "LOW", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:L", "version": "3.1"}}], "references": [{"name": "https://securitylab.github.com/advisories/GHSL-2023-277_Owncast/", "tags": ["x_refsource_CONFIRM"], "url": "https://securitylab.github.com/advisories/GHSL-2023-277_Owncast/"}, {"name": "https://github.com/owncast/owncast/commit/1b14800c7d7f54be14ed4d130bfe7f480645076e", "tags": ["x_refsource_MISC"], "url": "https://github.com/owncast/owncast/commit/1b14800c7d7f54be14ed4d130bfe7f480645076e"}, {"name": "https://github.com/owncast/owncast/blob/v0.1.2/controllers/admin/emoji.go#L63", "tags": ["x_refsource_MISC"], "url": "https://github.com/owncast/owncast/blob/v0.1.2/controllers/admin/emoji.go#L63"}, {"name": "https://github.com/owncast/owncast/releases/tag/v0.1.3", "tags": ["x_refsource_MISC"], "url": "https://github.com/owncast/owncast/releases/tag/v0.1.3"}], "affected": [{"vendor": "owncast", "product": "owncast", "versions": [{"version": "< 0.1.3", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2024-04-19T18:59:19.526Z"}, "descriptions": [{"lang": "en", "value": "Owncast is an open source, self-hosted, decentralized, single user live video streaming and chat server. The Owncast application exposes an administrator API at the URL /api/admin. The emoji/delete endpoint of said API allows administrators to delete custom emojis, which are saved on disk. The parameter name is taken from the JSON request and directly appended to the filepath that points to the emoji to delete. By using path traversal sequences (../), attackers with administrative privileges can exploit this endpoint to delete arbitrary files on the system, outside of the emoji directory. This vulnerability is fixed in 0.1.3."}], "source": {"advisory": "GHSA-9355-27m8-h74v", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-31450", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-04-19T23:33:53.360262Z"}}}], "affected": [{"cpes": ["cpe:2.3:a:owncast_project:owncast:*:*:*:*:*:*:*:*"], "vendor": "owncast_project", "product": "owncast", "versions": [{"status": "affected", "version": "*0.1.3"}], "defaultStatus": "unknown"}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-04-19T23:34:58.164Z"}, "title": "CISA ADP Vulnrichment"}]}}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Owncast is an open source, self-hosted, decentralized, single user live video streaming and chat server. The Owncast application exposes an administrator API at the URL /api/admin. The emoji/delete endpoint of said API allows administrators to delete custom emojis, which are saved on disk. The parameter name is taken from the JSON request and directly appended to the filepath that points to the emoji to delete. By using path traversal sequences (../), attackers with administrative privileges can exploit this endpoint to delete arbitrary files on the system, outside of the emoji directory. This vulnerability is fixed in 0.1.3."}, {"lang": "es", "value": "Owncast es un servidor de chat y transmisi\u00f3n de video en vivo de c\u00f3digo abierto, autohospedado, descentralizado y de un solo usuario. La aplicaci\u00f3n Owncast expone una API de administrador en la URL /api/admin. El endpoint emoji/eliminar de dicha API permite a los administradores eliminar emojis personalizados, que se guardan en el disco. El nombre del par\u00e1metro se toma de la solicitud JSON y se agrega directamente a la ruta del archivo que apunta al emoji que se eliminar\u00e1. Al utilizar secuencias de path traversal (../), los atacantes con privilegios administrativos pueden aprovechar este endpoint para eliminar archivos arbitrarios en el sistema, fuera del directorio emoji. Esta vulnerabilidad se solucion\u00f3 en 0.1.3."}], "id": "CVE-2024-31450", "lastModified": "2024-04-22T13:28:50.310", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 2.7, "baseSeverity": "LOW", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:L", "version": "3.1"}, "exploitabilityScore": 1.2, "impactScore": 1.4, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2024-04-19T19:15:06.873", "references": [{"source": "security-advisories@github.com", "url": "https://github.com/owncast/owncast/blob/v0.1.2/controllers/admin/emoji.go#L63"}, {"source": "security-advisories@github.com", "url": "https://github.com/owncast/owncast/commit/1b14800c7d7f54be14ed4d130bfe7f480645076e"}, {"source": "security-advisories@github.com", "url": "https://github.com/owncast/owncast/releases/tag/v0.1.3"}, {"source": "security-advisories@github.com", "url": "https://securitylab.github.com/advisories/GHSL-2023-277_Owncast/"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-22"}], "source": "security-advisories@github.com", "type": "Secondary"}]}

Metrics

Attack Vector Network

Attack Complexity Low

Privileges Required High

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact Low

User Interaction None

Exploitation poc

Automatable no

Technical Impact partial

Affected Vendors & Products

Metrics

Attack Vector Network

Attack Complexity Low

Privileges Required High

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact Low

User Interaction None

Exploitation poc

Automatable no

Technical Impact partial

Affected Vendors & Products

JSON object

JSON object

JSON object

JSON object