Oceanic Fixes Input Normalization Vulnerability in Discord API
CVE-2024-34712

6.5MEDIUM

Key Information:

Vendor: Oceanicjs
Status: Oceanic
Vendor: CVE Published:; 14 May 2024

Summary

The Oceanic library for NodeJS, designed for interfacing with the Discord API, contains a vulnerability in versions prior to 1.10.4. The flaw arises from the library not properly URL-encoding inputs to functions, specifically in Client.rest.channels.removeBan. This allows an attacker to manipulate input values such as ../../../channels/{id}, which normalizes into an unintended URL /api/v10/channels/{id} leading to the deletion of channels instead of the intended action of removing a ban. Users of the library are advised to upgrade to version 1.10.4 or later. Alternative mitigation strategies include sanitizing user input and utilizing encodeURIComponent to ensure inputs are valid before they are processed by the library.

Affected Version(s)

Oceanic < 1.10.4

References

https://github.com/OceanicJS/Oceanic/security/advisories/...

x_refsource_CONFIRM

https://github.com/OceanicJS/Oceanic/commit/8bf8ee8373b8c...

x_refsource_MISC

CVSS V3.1

Score:

6.5

Severity:

MEDIUM

Confidentiality:

None

Integrity:

High

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
May 14, 2024
Vulnerability Reserved
May 7, 2024

Collectors

NVD DatabaseMitre Database