CVE-2024-31450 (GCVE-0-2024-31450)
Vulnerability from cvelistv5 – Published: 2024-04-19 18:59 – Updated: 2024-08-02 01:52
VLAI?
Title
Owncast vulnerable to arbitrary file deletion in emoji.go (GHSL-2023-277)
Summary
Owncast is an open source, self-hosted, decentralized, single user live video streaming and chat server. The Owncast application exposes an administrator API at the URL /api/admin. The emoji/delete endpoint of said API allows administrators to delete custom emojis, which are saved on disk. The parameter name is taken from the JSON request and directly appended to the filepath that points to the emoji to delete. By using path traversal sequences (../), attackers with administrative privileges can exploit this endpoint to delete arbitrary files on the system, outside of the emoji directory. This vulnerability is fixed in 0.1.3.
Severity ?
CWE
- CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Assigner
References
| URL | Tags | |||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:owncast_project:owncast:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "owncast",
"vendor": "owncast_project",
"versions": [
{
"status": "affected",
"version": "*0.1.3"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-31450",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-04-19T23:33:53.360262Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-06-04T17:36:33.796Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T01:52:56.997Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://securitylab.github.com/advisories/GHSL-2023-277_Owncast/",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://securitylab.github.com/advisories/GHSL-2023-277_Owncast/"
},
{
"name": "https://github.com/owncast/owncast/commit/1b14800c7d7f54be14ed4d130bfe7f480645076e",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/owncast/owncast/commit/1b14800c7d7f54be14ed4d130bfe7f480645076e"
},
{
"name": "https://github.com/owncast/owncast/blob/v0.1.2/controllers/admin/emoji.go#L63",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/owncast/owncast/blob/v0.1.2/controllers/admin/emoji.go#L63"
},
{
"name": "https://github.com/owncast/owncast/releases/tag/v0.1.3",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/owncast/owncast/releases/tag/v0.1.3"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "owncast",
"vendor": "owncast",
"versions": [
{
"status": "affected",
"version": "\u003c 0.1.3"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Owncast is an open source, self-hosted, decentralized, single user live video streaming and chat server. The Owncast application exposes an administrator API at the URL /api/admin. The emoji/delete endpoint of said API allows administrators to delete custom emojis, which are saved on disk. The parameter name is taken from the JSON request and directly appended to the filepath that points to the emoji to delete. By using path traversal sequences (../), attackers with administrative privileges can exploit this endpoint to delete arbitrary files on the system, outside of the emoji directory. This vulnerability is fixed in 0.1.3."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 2.7,
"baseSeverity": "LOW",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:L",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-22",
"description": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-04-19T18:59:19.526Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://securitylab.github.com/advisories/GHSL-2023-277_Owncast/",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://securitylab.github.com/advisories/GHSL-2023-277_Owncast/"
},
{
"name": "https://github.com/owncast/owncast/commit/1b14800c7d7f54be14ed4d130bfe7f480645076e",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/owncast/owncast/commit/1b14800c7d7f54be14ed4d130bfe7f480645076e"
},
{
"name": "https://github.com/owncast/owncast/blob/v0.1.2/controllers/admin/emoji.go#L63",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/owncast/owncast/blob/v0.1.2/controllers/admin/emoji.go#L63"
},
{
"name": "https://github.com/owncast/owncast/releases/tag/v0.1.3",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/owncast/owncast/releases/tag/v0.1.3"
}
],
"source": {
"advisory": "GHSA-9355-27m8-h74v",
"discovery": "UNKNOWN"
},
"title": "Owncast vulnerable to arbitrary file deletion in emoji.go (GHSL-2023-277)"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-31450",
"datePublished": "2024-04-19T18:59:19.526Z",
"dateReserved": "2024-04-03T17:55:32.646Z",
"dateUpdated": "2024-08-02T01:52:56.997Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1",
"vulnerability-lookup:meta": {
"fkie_nvd": {
"descriptions": "[{\"lang\": \"en\", \"value\": \"Owncast is an open source, self-hosted, decentralized, single user live video streaming and chat server. The Owncast application exposes an administrator API at the URL /api/admin. The emoji/delete endpoint of said API allows administrators to delete custom emojis, which are saved on disk. The parameter name is taken from the JSON request and directly appended to the filepath that points to the emoji to delete. By using path traversal sequences (../), attackers with administrative privileges can exploit this endpoint to delete arbitrary files on the system, outside of the emoji directory. This vulnerability is fixed in 0.1.3.\"}, {\"lang\": \"es\", \"value\": \"Owncast es un servidor de chat y transmisi\\u00f3n de video en vivo de c\\u00f3digo abierto, autohospedado, descentralizado y de un solo usuario. La aplicaci\\u00f3n Owncast expone una API de administrador en la URL /api/admin. El endpoint emoji/eliminar de dicha API permite a los administradores eliminar emojis personalizados, que se guardan en el disco. El nombre del par\\u00e1metro se toma de la solicitud JSON y se agrega directamente a la ruta del archivo que apunta al emoji que se eliminar\\u00e1. Al utilizar secuencias de path traversal (../), los atacantes con privilegios administrativos pueden aprovechar este endpoint para eliminar archivos arbitrarios en el sistema, fuera del directorio emoji. Esta vulnerabilidad se solucion\\u00f3 en 0.1.3.\"}]",
"id": "CVE-2024-31450",
"lastModified": "2024-11-21T09:13:32.687",
"metrics": "{\"cvssMetricV31\": [{\"source\": \"security-advisories@github.com\", \"type\": \"Secondary\", \"cvssData\": {\"version\": \"3.1\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:L\", \"baseScore\": 2.7, \"baseSeverity\": \"LOW\", \"attackVector\": \"NETWORK\", \"attackComplexity\": \"LOW\", \"privilegesRequired\": \"HIGH\", \"userInteraction\": \"NONE\", \"scope\": \"UNCHANGED\", \"confidentialityImpact\": \"NONE\", \"integrityImpact\": \"NONE\", \"availabilityImpact\": \"LOW\"}, \"exploitabilityScore\": 1.2, \"impactScore\": 1.4}]}",
"published": "2024-04-19T19:15:06.873",
"references": "[{\"url\": \"https://github.com/owncast/owncast/blob/v0.1.2/controllers/admin/emoji.go#L63\", \"source\": \"security-advisories@github.com\"}, {\"url\": \"https://github.com/owncast/owncast/commit/1b14800c7d7f54be14ed4d130bfe7f480645076e\", \"source\": \"security-advisories@github.com\"}, {\"url\": \"https://github.com/owncast/owncast/releases/tag/v0.1.3\", \"source\": \"security-advisories@github.com\"}, {\"url\": \"https://securitylab.github.com/advisories/GHSL-2023-277_Owncast/\", \"source\": \"security-advisories@github.com\"}, {\"url\": \"https://github.com/owncast/owncast/blob/v0.1.2/controllers/admin/emoji.go#L63\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"https://github.com/owncast/owncast/commit/1b14800c7d7f54be14ed4d130bfe7f480645076e\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"https://github.com/owncast/owncast/releases/tag/v0.1.3\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"https://securitylab.github.com/advisories/GHSL-2023-277_Owncast/\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}]",
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Awaiting Analysis",
"weaknesses": "[{\"source\": \"security-advisories@github.com\", \"type\": \"Secondary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-22\"}]}]"
},
"nvd": "{\"cve\":{\"id\":\"CVE-2024-31450\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2024-04-19T19:15:06.873\",\"lastModified\":\"2025-10-15T14:59:59.130\",\"vulnStatus\":\"Analyzed\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Owncast is an open source, self-hosted, decentralized, single user live video streaming and chat server. The Owncast application exposes an administrator API at the URL /api/admin. The emoji/delete endpoint of said API allows administrators to delete custom emojis, which are saved on disk. The parameter name is taken from the JSON request and directly appended to the filepath that points to the emoji to delete. By using path traversal sequences (../), attackers with administrative privileges can exploit this endpoint to delete arbitrary files on the system, outside of the emoji directory. This vulnerability is fixed in 0.1.3.\"},{\"lang\":\"es\",\"value\":\"Owncast es un servidor de chat y transmisi\u00f3n de video en vivo de c\u00f3digo abierto, autohospedado, descentralizado y de un solo usuario. La aplicaci\u00f3n Owncast expone una API de administrador en la URL /api/admin. El endpoint emoji/eliminar de dicha API permite a los administradores eliminar emojis personalizados, que se guardan en el disco. El nombre del par\u00e1metro se toma de la solicitud JSON y se agrega directamente a la ruta del archivo que apunta al emoji que se eliminar\u00e1. Al utilizar secuencias de path traversal (../), los atacantes con privilegios administrativos pueden aprovechar este endpoint para eliminar archivos arbitrarios en el sistema, fuera del directorio emoji. Esta vulnerabilidad se solucion\u00f3 en 0.1.3.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:L\",\"baseScore\":2.7,\"baseSeverity\":\"LOW\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"HIGH\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"LOW\"},\"exploitabilityScore\":1.2,\"impactScore\":1.4},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:H\",\"baseScore\":6.5,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"HIGH\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":1.2,\"impactScore\":5.2}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-22\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:owncast_project:owncast:*:*:*:*:*:*:*:*\",\"versionEndExcluding\":\"0.1.3\",\"matchCriteriaId\":\"2E1041AC-3C3C-4705-88C9-487C9A951F98\"}]}]}],\"references\":[{\"url\":\"https://github.com/owncast/owncast/blob/v0.1.2/controllers/admin/emoji.go#L63\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Product\"]},{\"url\":\"https://github.com/owncast/owncast/commit/1b14800c7d7f54be14ed4d130bfe7f480645076e\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Patch\"]},{\"url\":\"https://github.com/owncast/owncast/releases/tag/v0.1.3\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Release Notes\"]},{\"url\":\"https://securitylab.github.com/advisories/GHSL-2023-277_Owncast/\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Third Party Advisory\",\"Exploit\"]},{\"url\":\"https://github.com/owncast/owncast/blob/v0.1.2/controllers/admin/emoji.go#L63\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Product\"]},{\"url\":\"https://github.com/owncast/owncast/commit/1b14800c7d7f54be14ed4d130bfe7f480645076e\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Patch\"]},{\"url\":\"https://github.com/owncast/owncast/releases/tag/v0.1.3\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Release Notes\"]},{\"url\":\"https://securitylab.github.com/advisories/GHSL-2023-277_Owncast/\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Third Party Advisory\",\"Exploit\"]}]}}",
"vulnrichment": {
"containers": "{\"cna\": {\"title\": \"Owncast vulnerable to arbitrary file deletion in emoji.go (GHSL-2023-277)\", \"problemTypes\": [{\"descriptions\": [{\"cweId\": \"CWE-22\", \"lang\": \"en\", \"description\": \"CWE-22: Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)\", \"type\": \"CWE\"}]}], \"metrics\": [{\"cvssV3_1\": {\"attackComplexity\": \"LOW\", \"attackVector\": \"NETWORK\", \"availabilityImpact\": \"LOW\", \"baseScore\": 2.7, \"baseSeverity\": \"LOW\", \"confidentialityImpact\": \"NONE\", \"integrityImpact\": \"NONE\", \"privilegesRequired\": \"HIGH\", \"scope\": \"UNCHANGED\", \"userInteraction\": \"NONE\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:L\", \"version\": \"3.1\"}}], \"references\": [{\"name\": \"https://securitylab.github.com/advisories/GHSL-2023-277_Owncast/\", \"tags\": [\"x_refsource_CONFIRM\"], \"url\": \"https://securitylab.github.com/advisories/GHSL-2023-277_Owncast/\"}, {\"name\": \"https://github.com/owncast/owncast/commit/1b14800c7d7f54be14ed4d130bfe7f480645076e\", \"tags\": [\"x_refsource_MISC\"], \"url\": \"https://github.com/owncast/owncast/commit/1b14800c7d7f54be14ed4d130bfe7f480645076e\"}, {\"name\": \"https://github.com/owncast/owncast/blob/v0.1.2/controllers/admin/emoji.go#L63\", \"tags\": [\"x_refsource_MISC\"], \"url\": \"https://github.com/owncast/owncast/blob/v0.1.2/controllers/admin/emoji.go#L63\"}, {\"name\": \"https://github.com/owncast/owncast/releases/tag/v0.1.3\", \"tags\": [\"x_refsource_MISC\"], \"url\": \"https://github.com/owncast/owncast/releases/tag/v0.1.3\"}], \"affected\": [{\"vendor\": \"owncast\", \"product\": \"owncast\", \"versions\": [{\"version\": \"\u003c 0.1.3\", \"status\": \"affected\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2024-04-19T18:59:19.526Z\"}, \"descriptions\": [{\"lang\": \"en\", \"value\": \"Owncast is an open source, self-hosted, decentralized, single user live video streaming and chat server. The Owncast application exposes an administrator API at the URL /api/admin. The emoji/delete endpoint of said API allows administrators to delete custom emojis, which are saved on disk. The parameter name is taken from the JSON request and directly appended to the filepath that points to the emoji to delete. By using path traversal sequences (../), attackers with administrative privileges can exploit this endpoint to delete arbitrary files on the system, outside of the emoji directory. This vulnerability is fixed in 0.1.3.\"}], \"source\": {\"advisory\": \"GHSA-9355-27m8-h74v\", \"discovery\": \"UNKNOWN\"}}, \"adp\": [{\"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2024-31450\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"poc\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2024-04-19T23:33:53.360262Z\"}}}], \"affected\": [{\"cpes\": [\"cpe:2.3:a:owncast_project:owncast:*:*:*:*:*:*:*:*\"], \"vendor\": \"owncast_project\", \"product\": \"owncast\", \"versions\": [{\"status\": \"affected\", \"version\": \"*0.1.3\"}], \"defaultStatus\": \"unknown\"}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2024-04-19T23:34:58.164Z\"}, \"title\": \"CISA ADP Vulnrichment\"}]}",
"cveMetadata": "{\"cveId\": \"CVE-2024-31450\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"state\": \"PUBLISHED\", \"assignerShortName\": \"GitHub_M\", \"dateReserved\": \"2024-04-03T17:55:32.646Z\", \"datePublished\": \"2024-04-19T18:59:19.526Z\", \"dateUpdated\": \"2024-06-04T17:36:33.796Z\"}",
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
}
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…