CVE-2024-49770

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') (CWE-22)

Published: Nov 1, 2024 / Updated: 18d ago

010
Medium Severity
(Estimated)
EPSS 0.05%
CVE info copied to clipboard

Summary

The vulnerability affects the `oak` middleware framework, which is used for Deno's native HTTP server, Deno Deploy, Node.js 16.5 and later, Cloudflare Workers, and Bun. In versions prior to 17.1.3, there is a bypass in the `Context.send` API that allows for transferring hidden files. This bypass can be achieved by encoding the forward slash '/' as its URL encoded form '%2F', circumventing the default protection against hidden file transfers.

Impact

This vulnerability could allow an attacker to read sensitive user data or gain access to server secrets. It's a path traversal issue, which could potentially expose confidential information or system files that should not be accessible through the web server. This could lead to unauthorized access, data breaches, or further exploitation of the system.

Exploitation

There is no evidence that a public proof-of-concept exists. There is no evidence of proof of exploitation at the moment.

Patch

A patch is available. The vulnerability has been fixed in version 17.1.3 of the `oak` middleware framework. Users should upgrade to this version or later to mitigate the risk.

Mitigation

To mitigate this vulnerability: 1. Upgrade the `oak` middleware framework to version 17.1.3 or later. 2. If immediate upgrading is not possible, implement additional server-side validation to prevent path traversal attempts, especially those using URL encoding. 3. Restrict access to sensitive directories and files on the server. 4. Implement the principle of least privilege for the application and server processes. 5. Regularly audit and monitor file access logs for any suspicious activities.

Timeline

Detection in Vulnerability Scanners

Detection for the vulnerability has been added to Qualys (5001433)

Nov 1, 2024 at 7:53 AM
Vendor Advisory

GitHub Advisories released a security advisory.

Nov 1, 2024 at 9:08 AM
CVE Assignment

NVD published the first details for CVE-2024-49770

Nov 1, 2024 at 5:15 PM
First Article

Feedly found the first article mentioning CVE-2024-49770. See article

Nov 1, 2024 at 5:20 PM / Vulners.com RSS Feed
CVSS

A CVSS base score of 7.7 has been assigned.

Nov 1, 2024 at 5:20 PM / nvd
CVSS Estimate

Feedly estimated the CVSS score as HIGH

Nov 1, 2024 at 5:21 PM
CVSS Estimate

Feedly estimated the CVSS score as MEDIUM

Nov 1, 2024 at 9:45 PM
EPSS

EPSS Score was set to: 0.05% (Percentile: 16.7%)

Nov 2, 2024 at 10:04 AM
Static CVE Timeline Graph

Patches

Github Advisory
+null more

Attack Patterns

CAPEC-126: Path Traversal
+null more

Vendor Advisory

[GHSA-qm92-93fv-vh7m] Path traversal in oak allows transfer of hidden files within the served root directory
For an attacker this has potential to read sensitive user data or to gain access to server secrets. await app.listen({ port: 8000 }); In terminal: # setup root directory

News

CVE-2024-49770
`oak` is a middleware framework for Deno's native HTTP server, Deno Deploy, Node.js 16.5 and later, Cloudflare Workers and Bun. By default `oak` does not allow transferring of hidden files with `Context.send` API. However, prior to version 17.1.3, this can be bypassed by encoding `/` as its URL encoded form `%2F`.
[GHSA-qm92-93fv-vh7m] Path traversal in oak allows transfer of hidden files within the served root directory
For an attacker this has potential to read sensitive user data or to gain access to server secrets. await app.listen({ port: 8000 }); In terminal: # setup root directory
NA - CVE-2024-49770 - `oak` is a middleware framework for Deno's...
`oak` is a middleware framework for Deno's native HTTP server, Deno Deploy, Node.js 16.5 and later, Cloudflare Workers and Bun. By default `oak` does not allow transferring of hidden files...
CVE-2024-49770 oak's path traversal allows transfer of hidden files within the served root directory
oak is a middleware framework for Deno's native HTTP server, Deno Deploy, Node.js 16.5 and later, Cloudflare Workers and Bun. By default oak does not allow transferring of hidden files with Context.send API. However, prior to version 17.1.3, this can be bypassed by encoding / as its URL encoded form %2F. For an attacker this has potential to read sensitive user data or to gain access to server secrets. Version 17.1.3 fixes the...
CVE-2024-49770 - OAK File Transfer Path Traversal Vulnerability
CVE ID : CVE-2024-49770 Published : Nov. 1, 2024, 5:15 p.m. 52 minutes ago Description : `oak` is a middleware framework for Deno's native HTTP server, Deno Deploy, Node.js 16.5 and later, Cloudflare Workers and Bun. By default `oak` does not allow transferring of hidden files with `Context.send` API. However, prior to version 17.1.3, this can be bypassed by encoding `/` as its URL encoded form `%2F`. For an attacker this has potential to read sensitive user data or to gain access to server secrets.
See 4 more articles and social media posts

CVSS V3.1

Unknown

Categories

Be the first to know about critical vulnerabilities

Collect, analyze, and share vulnerability reports faster using AI