CVE-2024-31450 LOW

CVE-2024-31450: Owncast vulnerable to arbitrary file deletion in emoji.go (GHSL-2023-277)

Vendor Owncast
Product owncast
Weakness CWE-22 · Path traversal
Published April 19, 2024
Last update August 2, 2024

CVSS base score

2.7/10
Attack vector Network
Attack complexity Low
Privileges required High
User interaction None
Confidentiality None
Integrity None

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:L

What the vulnerability does

01Description

Owncast is an open source, self-hosted, decentralized, single user live video streaming and chat server. The Owncast application exposes an administrator API at the URL /api/admin. The emoji/delete endpoint of said API allows administrators to delete custom emojis, which are saved on disk. The parameter name is taken from the JSON request and directly appended to the filepath that points to the emoji to delete. By using path traversal sequences (../), attackers with administrative privileges can exploit this endpoint to delete arbitrary files on the system, outside of the emoji directory. This vulnerability is fixed in 0.1.3.

Key dates

02Disclosure timeline

April 19, 2024 CVE published
August 2, 2024 Record updated