Plattform
nodejs
Komponente
@oakserver/oak
Behoben in
17.1.4
14.1.1
CVE-2024-49770 describes a Path Traversal vulnerability discovered in the @oakserver/oak Node.js framework. This flaw allows attackers to bypass intended restrictions on accessing hidden files by exploiting an unexpected behavior in the decodeComponent function. Versions of @oakserver/oak prior to 17.1.3 are affected, and upgrading is the recommended solution.
The vulnerability stems from the framework's handling of URL-encoded characters when accessing files. While @oakserver/oak attempts to prevent access to hidden files, the decodeComponent function doesn't properly handle URL-encoded forward slashes (%2F). An attacker can exploit this by crafting a malicious URL that encodes / as %2F, effectively bypassing the hidden file restriction. This could allow an attacker to access sensitive configuration files, source code, or other data that should not be publicly accessible. The potential impact is significant, particularly in environments where sensitive data is stored within the application's file system.
CVE-2024-49770 was publicly disclosed on 2024-11-01. Currently, there are no publicly available proof-of-concept exploits. The EPSS score is pending evaluation. It is not listed on the CISA KEV catalog at the time of this writing.
Applications and services built using @oakserver/oak versions prior to 17.1.3 are at risk. This includes web applications, APIs, and other backend systems that rely on @oakserver/oak for routing and file handling. Shared hosting environments where multiple applications share the same server instance are particularly vulnerable, as a compromise of one application could potentially expose files from others.
• nodejs / server:
npm list @oakserver/oak• nodejs / server:
find / -name "node_modules/@oakserver/oak/send.ts" -print• nodejs / server:
grep -r '%2F' /path/to/oak/project/disclosure
Exploit-Status
EPSS
0.14% (34% Perzentil)
CISA SSVC
CVSS-Vektor
The primary mitigation for CVE-2024-49770 is to upgrade to version 17.1.3 or later of @oakserver/oak. This version includes a fix that properly handles URL-encoded characters, preventing the bypass. If an immediate upgrade is not feasible, consider implementing a Web Application Firewall (WAF) rule to block requests containing URL-encoded forward slashes (%2F) in file paths. Additionally, review and restrict file access permissions within the application to minimize the potential impact of a successful exploit. After upgrading, confirm the fix by attempting to access a hidden file via a URL containing %2F – it should be denied.
Actualice la dependencia `oak` a la versión 17.1.3 o superior. Esto corregirá la vulnerabilidad de path traversal que permite el acceso a archivos ocultos. Ejecute `npm update oak` o `yarn upgrade oak` para actualizar.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2024-49770 is a Path Traversal vulnerability in @oakserver/oak that allows attackers to bypass hidden file restrictions by URL encoding / as %2F, potentially exposing sensitive data.
Yes, if you are using @oakserver/oak versions less than or equal to 14.1.0, you are affected by this vulnerability.
Upgrade to version 17.1.3 or later of @oakserver/oak to remediate the vulnerability. Consider WAF rules as a temporary workaround.
While no active exploitation campaigns have been publicly reported, the ease of exploitation suggests a potential risk.
Refer to the @oakserver/oak project's repository and release notes for the official advisory and details on the fix.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.