Home > Vulnerability Database > CVE-2024-34712

Mend.io Vulnerability Database

CVE-2024-34712

Good to know:

Date: May 14, 2024

Oceanic is a NodeJS library for interfacing with Discord. Prior to version 1.10.4, input to functions such as "Client.rest.channels.removeBan" is not url-encoded, resulting in specially crafted input such as "../../../channels/{id}" being normalized into the url "/api/v10/channels/{id}", and deleting a channel rather than removing a ban. Version 1.10.4 fixes this issue. Some workarounds are available. One may sanitize user input, ensuring strings are valid for the purpose they are being used for. One may also encode input with "encodeURIComponent" before providing it to the library.

Language: TYPE_SCRIPT

Severity Score

6.5

Related Resources (5)

Url: https://github.com/OceanicJS/Oceanic/security/advisories/GHSA-5h5v-hw44-f6gg

Url: https://github.com/OceanicJS/Oceanic/commit/8bf8ee8373b8c565fbdbf70a609aba4fbc1a1ffe

Url: https://nvd.nist.gov/vuln/detail/CVE-2024-34712

Url: https://github.com/OceanicJS/Oceanic

Url: https://www.mend.io/vulnerability-database/CVE-2024-34712

Severity Score

6.5

Weakness Type (CWE)

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

CWE-22

Relative Path Traversal

CWE-23

Top Fix

Upgrade Version

Upgrade to version oceanic.js - 1.10.4

Learn More

CVSS v3.1

Base Score:	6.5
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	LOW
Privileges Required (PR):	LOW
User Interaction (UI):	NONE
Scope (S):	UNCHANGED
Confidentiality (C):	NONE
Integrity (I):	HIGH
Availability (A):	NONE

Mend.io Vulnerability Database

We found results for “”

CVE-2024-34712

Good to know:

Date: May 14, 2024

Language: TYPE_SCRIPT

Severity Score

Related Resources (5)

Severity Score

Weakness Type (CWE)

Top Fix

Upgrade Version

CVSS v3.1

Do you need more information?