CVE-2024-34712 — Oceanic allows unsanitized user input to lead to path traversal in URLs

Description

### Impact Input to functions such as `Client.rest.channels.removeBan` is not url-encoded, resulting in specially crafted input such as `../../../channels/{id}` being normalized into the url `/api/v10/channels/{id}`, and deleting a channel rather than removing a ban. ### Workarounds * Sanitizing user input, ensuring strings are valid for the purpose they are being used for. * Encoding input with `encodeURIComponent` before providing it to the library. ### References OceanicJS/Oceanic@8bf8ee8373b8c565fbdbf70a609aba4fbc1a1ffe

How to fix CVE-2024-34712

To remediate CVE-2024-34712, upgrade the affected package to a fixed version below.

—upgrade to 1.10.4 or later

Is CVE-2024-34712 being exploited?

Low — EPSS is 0.2%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

from 0, < 1.10.4

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	MEDIUM6.5	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

References (4)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2024-34712
PATCHgithub.com/OceanicJS/Oceanic
WEBgithub.com/OceanicJS/Oceanic/commit/8bf8ee8373b8c565fbdbf70a609aba4fbc1a1ffe
WEBgithub.com/OceanicJS/Oceanic/security/advisories/GHSA-5h5v-hw44-f6gg