CVE-2024-31450: 
vulnerability analysis and mitigation

The Owncast application version 0.1.2 and earlier contains a path traversal vulnerability (CVE-2024-31450) in its administrator API. The vulnerability exists in the emoji/delete endpoint at /api/admin, which allows administrators to delete custom emojis stored on disk. The issue was discovered by Tony Torralba from the GitHub CodeQL team and was fixed in version 0.1.3, released on April 7, 2024 (GitHub Advisory, NVD).

The vulnerability stems from improper input validation in the emoji/delete endpoint. The parameter 'name' is taken from the JSON request and directly appended to the filepath that points to the emoji to delete, without proper path sanitization. By using path traversal sequences (../), attackers with administrative privileges can manipulate the path to delete files outside of the designated emoji directory (GitHub Advisory, GitHub Code). The vulnerability has been assigned a CVSS v3.1 score of 2.7 (LOW) with the vector string CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:L (NVD).

The vulnerability allows authenticated administrators to delete arbitrary files on the system, beyond the intended emoji directory scope. This could potentially lead to unauthorized file deletion across the system, affecting the integrity and availability of system files (GitHub Advisory).

The vulnerability has been fixed in Owncast version 0.1.3 by implementing proper path validation. Users should upgrade to version 0.1.3 or later to mitigate this vulnerability. The fix includes adding a check using filepath.IsLocal() to validate the target path (GitHub Commit, GitHub Release).