CVE-2024-49770 Vulnerability Details

  /     /     /  

CVE-2024-49770 Metadata Quick Info

CVE Published: 01/11/2024 | CVE Updated: 01/11/2024 | CVE Year: 2024
Source: GitHub_M | Vendor: oakserver | Product: oak
Status : PUBLISHED

---

CVE-2024-49770 Description

`oak` is a middleware framework for Deno\'s native HTTP server, Deno Deploy, Node.js 16.5 and later, Cloudflare Workers and Bun. By default `oak` does not allow transferring of hidden files with `Context.send` API. However, prior to version 17.1.3, this can be bypassed by encoding `/` as its URL encoded form `%2F`. For an attacker this has potential to read sensitive user data or to gain access to server secrets. Version 17.1.3 fixes the issue.

Metrics

CVSS Version: 3.1 | Base Score: n/a
Vector: n/a

l➤ Exploitability Metrics:
    Attack Vector (AV)*
    Attack Complexity (AC)*
    Privileges Required (PR)*
    User Interaction (UI)*
    Scope (S)*

l➤ Impact Metrics:
    Confidentiality Impact (C)*
    Integrity Impact (I)*
    Availability Impact (A)*

Weakness Enumeration (CWE)

CWE-ID: CWE-35
CWE Name: CWE-35: Path Traversal: .../...//
Source: oakserver

Common Attack Pattern Enumeration and Classification (CAPEC)

CAPEC-ID:
CAPEC Description:


Source: NVD (National Vulnerability Database).