Oceanic Fixes Input Normalization Vulnerability in Discord API

CVE-2024-34712

6.5MEDIUM

Key Information

Vendor: Oceanicjs
Status: Oceanic
Vendor: CVE Published:; 14 May 2024

Summary

Oceanic is a NodeJS library for interfacing with Discord. Prior to version 1.10.4, input to functions such as `Client.rest.channels.removeBan` is not url-encoded, resulting in specially crafted input such as `../../../channels/{id}` being normalized into the url `/api/v10/channels/{id}`, and deleting a channel rather than removing a ban. Version 1.10.4 fixes this issue. Some workarounds are available. One may sanitize user input, ensuring strings are valid for the purpose they are being used for. One may also encode input with `encodeURIComponent` before providing it to the library.

Affected Version(s)

Oceanic = < 1.10.4

CVSS V3.1

Score:

6.5

Severity:

MEDIUM

Confidentiality:

None

Integrity:

High

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published.
May 14, 2024
Vulnerability Reserved.
May 7, 2024

Collectors

NVD DatabaseMitre Database