CVE-2024-34712 - OpenCVE

Oceanic is a NodeJS library for interfacing with Discord. Prior to version 1.10.4, input to functions such as `Client.rest.channels.removeBan` is not url-encoded, resulting in specially crafted input such as `../../../channels/{id}` being normalized into the url `/api/v10/channels/{id}`, and deleting a channel rather than removing a ban. Version 1.10.4 fixes this issue. Some workarounds are available. One may sanitize user input, ensuring strings are valid for the purpose they are being used for. One may also encode input with `encodeURIComponent` before providing it to the library.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact High

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

No data.

No data.

No data.

References

Link	Providers
https://github.com/OceanicJS/Oceanic/commit/8bf8ee8373b8c565fbdbf70a609aba4fbc1a1ffe
https://github.com/OceanicJS/Oceanic/security/advisories/GHSA-5h5v-hw44-f6gg

History

No history.

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2024-05-14T14:32:06.577Z

Updated: 2024-08-02T02:59:22.230Z

Reserved: 2024-05-07T13:53:00.133Z

Link: CVE-2024-34712

Vulnrichment

Updated: 2024-08-02T02:59:22.230Z

NVD

Status : Awaiting Analysis

Published: 2024-05-14T16:17:26.600

Modified: 2024-05-14T19:17:55.627

Link: CVE-2024-34712

Redhat

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-34712", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2024-05-07T13:53:00.133Z", "datePublished": "2024-05-14T14:32:06.577Z", "dateUpdated": "2024-08-02T02:59:22.230Z"}, "containers": {"cna": {"title": "Oceanic allows unsanitized user input to lead to path traversal in URLs", "problemTypes": [{"descriptions": [{"cweId": "CWE-23", "lang": "en", "description": "CWE-23: Relative Path Traversal", "type": "CWE"}]}, {"descriptions": [{"cweId": "CWE-22", "lang": "en", "description": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/OceanicJS/Oceanic/security/advisories/GHSA-5h5v-hw44-f6gg", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/OceanicJS/Oceanic/security/advisories/GHSA-5h5v-hw44-f6gg"}, {"name": "https://github.com/OceanicJS/Oceanic/commit/8bf8ee8373b8c565fbdbf70a609aba4fbc1a1ffe", "tags": ["x_refsource_MISC"], "url": "https://github.com/OceanicJS/Oceanic/commit/8bf8ee8373b8c565fbdbf70a609aba4fbc1a1ffe"}], "affected": [{"vendor": "OceanicJS", "product": "Oceanic", "versions": [{"version": "< 1.10.4", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2024-05-14T14:32:06.577Z"}, "descriptions": [{"lang": "en", "value": "Oceanic is a NodeJS library for interfacing with Discord. Prior to version 1.10.4, input to functions such as `Client.rest.channels.removeBan` is not url-encoded, resulting in specially crafted input such as `../../../channels/{id}` being normalized into the url `/api/v10/channels/{id}`, and deleting a channel rather than removing a ban. Version 1.10.4 fixes this issue. Some workarounds are available. One may sanitize user input, ensuring strings are valid for the purpose they are being used for. One may also encode input with `encodeURIComponent` before providing it to the library."}], "source": {"advisory": "GHSA-5h5v-hw44-f6gg", "discovery": "UNKNOWN"}}, "adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-34712", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-05-16T16:13:51.308904Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-06-04T17:42:26.177Z"}}, {"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T02:59:22.230Z"}, "title": "CVE Program Container", "references": [{"name": "https://github.com/OceanicJS/Oceanic/security/advisories/GHSA-5h5v-hw44-f6gg", "tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://github.com/OceanicJS/Oceanic/security/advisories/GHSA-5h5v-hw44-f6gg"}, {"name": "https://github.com/OceanicJS/Oceanic/commit/8bf8ee8373b8c565fbdbf70a609aba4fbc1a1ffe", "tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/OceanicJS/Oceanic/commit/8bf8ee8373b8c565fbdbf70a609aba4fbc1a1ffe"}]}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://github.com/OceanicJS/Oceanic/security/advisories/GHSA-5h5v-hw44-f6gg", "name": "https://github.com/OceanicJS/Oceanic/security/advisories/GHSA-5h5v-hw44-f6gg", "tags": ["x_refsource_CONFIRM", "x_transferred"]}, {"url": "https://github.com/OceanicJS/Oceanic/commit/8bf8ee8373b8c565fbdbf70a609aba4fbc1a1ffe", "name": "https://github.com/OceanicJS/Oceanic/commit/8bf8ee8373b8c565fbdbf70a609aba4fbc1a1ffe", "tags": ["x_refsource_MISC", "x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T02:59:22.230Z"}}, {"metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-34712", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-05-16T16:13:51.308904Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-05-16T16:13:55.475Z"}, "title": "CISA ADP Vulnrichment"}], "cna": {"title": "Oceanic allows unsanitized user input to lead to path traversal in URLs", "source": {"advisory": "GHSA-5h5v-hw44-f6gg", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}}], "affected": [{"vendor": "OceanicJS", "product": "Oceanic", "versions": [{"status": "affected", "version": "< 1.10.4"}]}], "references": [{"url": "https://github.com/OceanicJS/Oceanic/security/advisories/GHSA-5h5v-hw44-f6gg", "name": "https://github.com/OceanicJS/Oceanic/security/advisories/GHSA-5h5v-hw44-f6gg", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/OceanicJS/Oceanic/commit/8bf8ee8373b8c565fbdbf70a609aba4fbc1a1ffe", "name": "https://github.com/OceanicJS/Oceanic/commit/8bf8ee8373b8c565fbdbf70a609aba4fbc1a1ffe", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "Oceanic is a NodeJS library for interfacing with Discord. Prior to version 1.10.4, input to functions such as `Client.rest.channels.removeBan` is not url-encoded, resulting in specially crafted input such as `../../../channels/{id}` being normalized into the url `/api/v10/channels/{id}`, and deleting a channel rather than removing a ban. Version 1.10.4 fixes this issue. Some workarounds are available. One may sanitize user input, ensuring strings are valid for the purpose they are being used for. One may also encode input with `encodeURIComponent` before providing it to the library."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-23", "description": "CWE-23: Relative Path Traversal"}]}, {"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-22", "description": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2024-05-14T14:32:06.577Z"}}}, "cveMetadata": {"cveId": "CVE-2024-34712", "state": "PUBLISHED", "dateUpdated": "2024-08-02T02:59:22.230Z", "dateReserved": "2024-05-07T13:53:00.133Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2024-05-14T14:32:06.577Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.1"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Oceanic is a NodeJS library for interfacing with Discord. Prior to version 1.10.4, input to functions such as `Client.rest.channels.removeBan` is not url-encoded, resulting in specially crafted input such as `../../../channels/{id}` being normalized into the url `/api/v10/channels/{id}`, and deleting a channel rather than removing a ban. Version 1.10.4 fixes this issue. Some workarounds are available. One may sanitize user input, ensuring strings are valid for the purpose they are being used for. One may also encode input with `encodeURIComponent` before providing it to the library."}, {"lang": "es", "value": "Oceanic es una librer\u00eda NodeJS para interactuar con Discord. Antes de la versi\u00f3n 1.10.4, la entrada a funciones como `Client.rest.channels.removeBan` no est\u00e1 codificada en URL, lo que generaba entradas especialmente manipuladas como `../../../channels/{id}` normalizarse en la URL `/api/v10/channels/{id}` y eliminar un canal en lugar de eliminar una prohibici\u00f3n. La versi\u00f3n 1.10.4 soluciona este problema. Algunas soluciones est\u00e1n disponibles. Se pueden desinfectar las entradas del usuario, asegur\u00e1ndose de que las cadenas sean v\u00e1lidas para el prop\u00f3sito para el que se utilizan. Tambi\u00e9n se puede codificar la entrada con `encodeURIComponent` antes de proporcionarla a la librer\u00eda."}], "id": "CVE-2024-34712", "lastModified": "2024-05-14T19:17:55.627", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.6, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2024-05-14T16:17:26.600", "references": [{"source": "security-advisories@github.com", "url": "https://github.com/OceanicJS/Oceanic/commit/8bf8ee8373b8c565fbdbf70a609aba4fbc1a1ffe"}, {"source": "security-advisories@github.com", "url": "https://github.com/OceanicJS/Oceanic/security/advisories/GHSA-5h5v-hw44-f6gg"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-22"}, {"lang": "en", "value": "CWE-23"}], "source": "security-advisories@github.com", "type": "Secondary"}]}