Vulnerability Description
Oceanic is a NodeJS library for interfacing with Discord. Prior to version 1.10.4, input to functions such as `Client.rest.channels.removeBan` is not url-encoded, resulting in specially crafted input such as `../../../channels/{id}` being normalized into the url `/api/v10/channels/{id}`, and deleting a channel rather than removing a ban. Version 1.10.4 fixes this issue. Some workarounds are available. One may sanitize user input, ensuring strings are valid for the purpose they are being used for. One may also encode input with `encodeURIComponent` before providing it to the library.
CVSS Score
MEDIUM
Related Weaknesses (CWE)
References
- https://github.com/OceanicJS/Oceanic/commit/8bf8ee8373b8c565fbdbf70a609aba4fbc1a
- https://github.com/OceanicJS/Oceanic/security/advisories/GHSA-5h5v-hw44-f6gg
- https://github.com/OceanicJS/Oceanic/commit/8bf8ee8373b8c565fbdbf70a609aba4fbc1a
- https://github.com/OceanicJS/Oceanic/security/advisories/GHSA-5h5v-hw44-f6gg
FAQ
What is CVE-2024-34712?
CVE-2024-34712 is a vulnerability with a CVSS score of 6.5 (MEDIUM). Oceanic is a NodeJS library for interfacing with Discord. Prior to version 1.10.4, input to functions such as `Client.rest.channels.removeBan` is not url-encoded, resulting in specially crafted input ...
How severe is CVE-2024-34712?
CVE-2024-34712 has been rated MEDIUM with a CVSS base score of 6.5/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2024-34712?
Check the references section above for vendor advisories and patch information. Review vendor security bulletins for remediation guidance.