Advisory Database
  • Advisories
  • Dependency Scanning
  1. golang
  2. ›
  3. github.com/owncast/owncast
  4. ›
  5. CVE-2024-31450

CVE-2024-31450: Owncast Path Traversal vulnerability

August 5, 2024 (updated November 18, 2024)

Owncast is an open source, self-hosted, decentralized, single user live video streaming and chat server. The Owncast application exposes an administrator API at the URL /api/admin. The emoji/delete endpoint of said API allows administrators to delete custom emojis, which are saved on disk. The parameter name is taken from the JSON request and directly appended to the filepath that points to the emoji to delete. By using path traversal sequences (../), attackers with administrative privileges can exploit this endpoint to delete arbitrary files on the system, outside of the emoji directory. This vulnerability is fixed in 0.1.3.

References

  • github.com/advisories/GHSA-9355-27m8-h74v
  • github.com/owncast/owncast
  • github.com/owncast/owncast/blob/v0.1.2/controllers/admin/emoji.go
  • github.com/owncast/owncast/commit/1b14800c7d7f54be14ed4d130bfe7f480645076e
  • github.com/owncast/owncast/releases/tag/v0.1.3
  • nvd.nist.gov/vuln/detail/CVE-2024-31450
  • securitylab.github.com/advisories/GHSL-2023-277_Owncast

Code Behaviors & Features

Detect and mitigate CVE-2024-31450 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →

Affected versions

All versions before 0.1.3

Fixed versions

  • 0.1.3

Solution

Upgrade to version 0.1.3 or above.

Impact 2.7 LOW

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:L

Learn more about CVSS

Weakness

  • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

Source file

go/github.com/owncast/owncast/CVE-2024-31450.yml

Spotted a mistake? Edit the file on GitLab.

  • Site Repo
  • About GitLab
  • Terms
  • Privacy Statement
  • Contact

Page generated Wed, 14 May 2025 12:15:46 +0000.