CVE-2024-31450 — LOW (2.7) — White Hats Nepal

Q: How severe is CVE-2024-31450?

CVE-2024-31450 has been rated LOW with a CVSS base score of 2.7/10. Review the CVSS metrics above for detailed severity breakdown.

Q: Is there a patch for CVE-2024-31450?

Check the references section above for vendor advisories and patch information. Affected products include: Owncast Project Owncast.

Vulnerability Description

Owncast is an open source, self-hosted, decentralized, single user live video streaming and chat server. The Owncast application exposes an administrator API at the URL /api/admin. The emoji/delete endpoint of said API allows administrators to delete custom emojis, which are saved on disk. The parameter name is taken from the JSON request and directly appended to the filepath that points to the emoji to delete. By using path traversal sequences (../), attackers with administrative privileges can exploit this endpoint to delete arbitrary files on the system, outside of the emoji directory. This vulnerability is fixed in 0.1.3.

CVSS Score

2.7

LOW

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:L

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

HIGH

User Interaction

NONE

Scope

UNCHANGED

Confidentiality

NONE

Integrity

NONE

Availability

LOW

Affected Products

Vendor	Product	Versions
Owncast Project	Owncast	< 0.1.3

Related Weaknesses (CWE)

CWE-22

References

https://github.com/owncast/owncast/blob/v0.1.2/controllers/admin/emoji.go#L63Product
https://github.com/owncast/owncast/commit/1b14800c7d7f54be14ed4d130bfe7f48064507Patch
https://github.com/owncast/owncast/releases/tag/v0.1.3Release Notes
https://securitylab.github.com/advisories/GHSL-2023-277_Owncast/ExploitThird Party Advisory
https://github.com/owncast/owncast/blob/v0.1.2/controllers/admin/emoji.go#L63Product
https://github.com/owncast/owncast/commit/1b14800c7d7f54be14ed4d130bfe7f48064507Patch
https://github.com/owncast/owncast/releases/tag/v0.1.3Release Notes
https://securitylab.github.com/advisories/GHSL-2023-277_Owncast/ExploitThird Party Advisory

FAQ

What is CVE-2024-31450?

CVE-2024-31450 is a vulnerability with a CVSS score of 2.7 (LOW). Owncast is an open source, self-hosted, decentralized, single user live video streaming and chat server. The Owncast application exposes an administrator API at the URL /api/admin. The emoji/delete en...

How severe is CVE-2024-31450?

CVE-2024-31450 has been rated LOW with a CVSS base score of 2.7/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2024-31450?

Check the references section above for vendor advisories and patch information. Affected products include: Owncast Project Owncast.