CVE-2024-34712
Oceanic allows unsanitized user input to lead to path traversal in URLs
6.5
MEDIUM
CVSS 3.1
EPSS 0.23%
描述
### Impact Input to functions such as `Client.rest.channels.removeBan` is not url-encoded, resulting in specially crafted input such as `../../../channels/{id}` being normalized into the url `/api/v10/channels/{id}`, and deleting a channel rather than removing a ban. ### Workarounds * Sanitizing user input, ensuring strings are valid for the purpose they are being used for. * Encoding input with `encodeURIComponent` before providing it to the library. ### References OceanicJS/Oceanic@8bf8ee8373b8c565fbdbf70a609aba4fbc1a1ffe
如何修補 CVE-2024-34712
要修補 CVE-2024-34712,請將受影響套件升級到下列已修補版本。
- —升級至 1.10.4 或更新版本
CVE-2024-34712 正在被利用嗎?
低 — EPSS 為 0.2%,目前沒有觀察到大規模利用活動。
受影響套件(1)
- from 0, < 1.10.4
CVSS 分數
| 來源 | 版本 | 嚴重程度 | 向量 |
|---|---|---|---|
| osv | CVSS 3.1 | MEDIUM6.5 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N |