1. Home
  2. Vulnerabilities
  3. CVE-2024-34712

CVE-2024-34712

CVSS v3.1 6.5 (Medium)
65% Progress
EPSS 0.04 % (11th)
0.04% Progress
Advisories 1
NVD Status Awaiting Analysis
Info CVSS EPSS CAPEC References Security Advisories Packages & Software Graph Web & Social Timeline

Oceanic is a NodeJS library for interfacing with Discord. Prior to version 1.10.4, input to functions such as Client.rest.channels.removeBan is not url-encoded, resulting in specially crafted input such as ../../../channels/{id} being normalized into the url /api/v10/channels/{id}, and deleting a channel rather than removing a ban. Version 1.10.4 fixes this issue. Some workarounds are available. One may sanitize user input, ensuring strings are valid for the purpose they are being used for. One may also encode input with encodeURIComponent before providing it to the library.

Weaknesses
CWE-22
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CWE-23
Relative Path Traversal
CVE Status
PUBLISHED
NVD Status
Awaiting Analysis
CNA
GitHub, Inc.
Published Date
2024-05-14 16:17:26
(4 months ago)
Updated Date
2024-05-14 19:17:55
(4 months ago)