CVE-2024-34712

MEDIUM

Oceanic.js < 1.10.4 - Path Traversal via Unencoded API Endpoint Input

Title source: llm

Description

Oceanic is a NodeJS library for interfacing with Discord. Prior to version 1.10.4, input to functions such as `Client.rest.channels.removeBan` is not url-encoded, resulting in specially crafted input such as `../../../channels/{id}` being normalized into the url `/api/v10/channels/{id}`, and deleting a channel rather than removing a ban. Version 1.10.4 fixes this issue. Some workarounds are available. One may sanitize user input, ensuring strings are valid for the purpose they are being used for. One may also encode input with `encodeURIComponent` before providing it to the library.

References (2)

Core 2

Core References

Vendor Advisory x_refsource_confirm

https://github.com/OceanicJS/Oceanic/security/advisories/GHSA-5h5v-hw44-f6gg

Patch x_refsource_misc

https://github.com/OceanicJS/Oceanic/commit/8bf8ee8373b8c565fbdbf70a609aba4fbc1a1ffe

View Patch ZIP pw:eip

Scores

CVSS v3 6.5

EPSS 0.0055

EPSS Percentile 41.5%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

CWE

CWE-22 CWE-23

Status published

Products (2)

npm/oceanic.js 0 - 1.10.4npm

OceanicJS/Oceanic < 1.10.4

Published May 14, 2024

Tracked Since Feb 18, 2026