CVE-2024-31450

Owncast vulnerable to arbitrary file deletion in emoji.go (GHSL-2023-277)

Severity Score

2.7

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

Track*

*SSVC

Descriptions

Owncast is an open source, self-hosted, decentralized, single user live video streaming and chat server. The Owncast application exposes an administrator API at the URL /api/admin. The emoji/delete endpoint of said API allows administrators to delete custom emojis, which are saved on disk. The parameter name is taken from the JSON request and directly appended to the filepath that points to the emoji to delete. By using path traversal sequences (../), attackers with administrative privileges can exploit this endpoint to delete arbitrary files on the system, outside of the emoji directory. This vulnerability is fixed in 0.1.3.

Owncast es un servidor de chat y transmisión de video en vivo de código abierto, autohospedado, descentralizado y de un solo usuario. La aplicación Owncast expone una API de administrador en la URL /api/admin. El endpoint emoji/eliminar de dicha API permite a los administradores eliminar emojis personalizados, que se guardan en el disco. El nombre del parámetro se toma de la solicitud JSON y se agrega directamente a la ruta del archivo que apunta al emoji que se eliminará. Al utilizar secuencias de path traversal (../), los atacantes con privilegios administrativos pueden aprovechar este endpoint para eliminar archivos arbitrarios en el sistema, fuera del directorio emoji. Esta vulnerabilidad se solucionó en 0.1.3.

*Credits: N/A

CVSS Scores

GitHubv3.1 2.7

Attack Vector

Network

Attack Complexity

Low

Privileges Required

High

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

None

Availability

Low

* Common Vulnerability Scoring System

SSVC

Decision:Track*

Exploitation

Poc

Automatable

Tech. Impact

Partial

* Organization's Worst-case Scenario

Timeline

2024-04-03 CVE Reserved
2024-04-19 CVE Published
2024-04-20 EPSS Updated
2024-08-02 CVE Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

CAPEC

References (4)

URL	Tag	Source
https://github.com/owncast/owncast/blob/v0.1.2/controllers/admin/emoji.go#L63	X_refsource_misc
https://github.com/owncast/owncast/commit/1b14800c7d7f54be14ed4d130bfe7f480645076e	X_refsource_misc
https://github.com/owncast/owncast/releases/tag/v0.1.3	X_refsource_misc
https://securitylab.github.com/advisories/GHSL-2023-277_Owncast	X_refsource_confirm

URL	Date	SRC

URL	Date	SRC

URL	Date	SRC

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Owncast Search vendor "Owncast"		Owncast Search vendor "Owncast" for product "Owncast"				< 0.1.3 Search vendor "Owncast" for product "Owncast" and version " < 0.1.3"		en		Affected