CVE-2024-34712: Oceanic allows unsanitized user input to lead to path traversal in URLs

May 14, 2024

Input to functions such as Client.rest.channels.removeBan is not url-encoded, resulting in specially crafted input such as ../../../channels/{id} being normalized into the url /api/v10/channels/{id}, and deleting a channel rather than removing a ban.

References

github.com/OceanicJS/Oceanic
github.com/OceanicJS/Oceanic/commit/8bf8ee8373b8c565fbdbf70a609aba4fbc1a1ffe
github.com/OceanicJS/Oceanic/security/advisories/GHSA-5h5v-hw44-f6gg
github.com/advisories/GHSA-5h5v-hw44-f6gg
nvd.nist.gov/vuln/detail/CVE-2024-34712

Detect and mitigate CVE-2024-34712 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →