CVE-2024-49770

See a problem?
Please try reporting it to the source first.
Source
https://nvd.nist.gov/vuln/detail/CVE-2024-49770
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-49770.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2024-49770
Aliases
Published
2024-11-01T17:15:17Z
Modified
2024-11-02T00:51:37.125803Z
Summary
[none]
Details

oak is a middleware framework for Deno's native HTTP server, Deno Deploy, Node.js 16.5 and later, Cloudflare Workers and Bun. By default oak does not allow transferring of hidden files with Context.send API. However, prior to version 17.1.3, this can be bypassed by encoding / as its URL encoded form %2F. For an attacker this has potential to read sensitive user data or to gain access to server secrets. Version 17.1.3 fixes the issue.

References

Affected packages

Git / github.com/oakserver/oak

Affected ranges

Type
GIT
Repo
https://github.com/oakserver/oak
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
4b2f27efd5cba5a45b2c3982e610da3af0869209

Affected versions

13.*

13.2.4

14.*

14.2.0

v1.*

v1.0.0

v10.*

v10.0.0
v10.1.0
v10.1.1
v10.2.0
v10.2.1
v10.3.0
v10.4.0
v10.5.0
v10.5.1
v10.6.0

v11.*

v11.0.0
v11.1.0

v12.*

v12.0.0
v12.0.1
v12.1.0
v12.2.0
v12.3.0
v12.3.1
v12.4.0
v12.5.0
v12.6.0
v12.6.1
v12.6.2

v13.*

v13.0.0
v13.0.1
v13.1.0
v13.2.0
v13.2.1
v13.2.2
v13.2.3
v13.2.5

v14.*

v14.0.0
v14.1.0
v14.1.1

v15.*

v15.0.0

v16.*

v16.0.0
v16.1.0

v17.*

v17.0.0
v17.1.0
v17.1.1
v17.1.2

v2.*

v2.0.0
v2.1.0
v2.10.0
v2.2.0
v2.3.0
v2.4.0
v2.5.0
v2.6.0
v2.7.0
v2.8.0
v2.9.0

v3.*

v3.0.0
v3.1.0
v3.2.0
v3.3.0
v3.4.0
v3.5.0
v3.6.0
v3.7.0

v4.*

v4.0.0

v5.*

v5.0.0
v5.1.0
v5.1.1
v5.2.0
v5.3.0
v5.3.1
v5.4.0

v6.*

v6.0.0
v6.0.1
v6.0.2
v6.1.0
v6.2.0
v6.3.0
v6.3.1
v6.3.2
v6.4.0
v6.4.1
v6.4.2
v6.5.0
v6.5.1

v7.*

v7.0.0
v7.1.0
v7.2.0
v7.3.0
v7.4.0
v7.4.1
v7.5.0
v7.6.0
v7.6.1
v7.6.2
v7.6.3
v7.7.0

v8.*

v8.0.0

v9.*

v9.0.0
v9.0.1