CVE-2022-23646

Опубликовано: 17 фев. 2022

Источник: nvd

CVSS3: 5.9

CVSS3: 7.5

CVSS2: 4.3

EPSS Низкий

Описание

Next.js is a React framework. Starting with version 10.0.0 and prior to version 12.1.0, Next.js is vulnerable to User Interface (UI) Misrepresentation of Critical Information. In order to be affected, the next.config.js file must have an images.domains array assigned and the image host assigned in images.domains must allow user-provided SVG. If the next.config.js file has images.loader assigned to something other than default, the instance is not affected. Version 12.1.0 contains a patch for this issue. As a workaround, change next.config.js to use a different loader configuration other than the default.

Ссылки

https://github.com/vercel/next.js/pull/34075
Issue Tracking
Patch
Third Party Advisory
https://github.com/vercel/next.js/releases/tag/v12.1.0
Release Notes
Third Party Advisory
https://github.com/vercel/next.js/security/advisories/GHSA-fmvm-x8mv-47mj
Issue Tracking
Mitigation
Patch
Third Party Advisory
https://github.com/vercel/next.js/pull/34075
Issue Tracking
Patch
Third Party Advisory
https://github.com/vercel/next.js/releases/tag/v12.1.0
Release Notes
Third Party Advisory
https://github.com/vercel/next.js/security/advisories/GHSA-fmvm-x8mv-47mj
Issue Tracking
Mitigation
Patch
Third Party Advisory

Уязвимые конфигурации

Конфигурация 1

cpe:2.3:a:vercel:next.js:*:*:*:*:*:node.js:*:*

Версия от 10.0.0 (включая) до 12.1.0 (исключая)

EPSS

Процентиль: 80%

0.01402

Низкий

5.9 Medium

CVSS3

7.5 High

CVSS3

4.3 Medium

CVSS2

Дефекты

CWE-451

Связанные уязвимости

GHSA-fmvm-x8mv-47mj

CVSS3: 5.9

github

больше 3 лет назад

Improper CSP in Image Optimization API for Next.js versions between 10.0.0 and 12.1.0

EPSS

Процентиль: 80%

0.01402

Низкий

5.9 Medium

CVSS3

7.5 High

CVSS3

4.3 Medium

CVSS2

Дефекты

CWE-451