SCA: security update for github.com/owncast/owncast (GHSA-9355-27m8-h74v)

medium Tenable Cloud Security Plugin ID 412980

Description

There are packages installed that are affected by a vulnerability referenced in the following CVE:

- Owncast is an open source, self-hosted, decentralized, single user live video streaming and chat server.
The Owncast application exposes an administrator API at the URL /api/admin. The emoji/delete endpoint of
said API allows administrators to delete custom emojis, which are saved on disk. The parameter name is
taken from the JSON request and directly appended to the filepath that points to the emoji to delete. By
using path traversal sequences (../), attackers with administrative privileges can exploit this endpoint
to delete arbitrary files on the system, outside of the emoji directory. This vulnerability is fixed in
0.1.3. (CVE-2024-31450)

See Also

https://github.com/advisories/GHSA-9355-27m8-h74v

Plugin Details

Severity: Medium

ID: 412980

Version: Revision 1.12

Type: Local

Family: SCA Checks

Published: 1/23/2025

Updated: 7/2/2026

Supported Sensors: Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: Medium

Score: 4.3

Percentile: 53.21

Vendor

Vendor Severity: Medium

CVSS v2

Risk Factor: High

Base Score: 7.7

Temporal Score: 6

Vector: CVSS2#AV:N/AC:L/Au:M/C:N/I:C/A:C

CVSS Score Source: CVE-2024-31450

CVSS v3

Risk Factor: Medium

Base Score: 6.5

Temporal Score: 5.9

Vector: CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:H

Temporal Vector: CVSS:3.0/E:P/RL:O/RC:C

CVSS v4

Risk Factor: Medium

Base Score: 5.1

Threat Score: 5.1

Threat Vector: CVSS:4.0/E:P

Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N

Vulnerability Information

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 8/5/2024

Vulnerability Publication Date: 4/19/2024

Reference Information

CVE: CVE-2024-31450

cwe: CWE-22