CVE-2022-31093

Опубликовано: 27 июн. 2022

Источник: nvd

CVSS3: 7.5

CVSS2: 5

EPSS Низкий

Описание

NextAuth.js is a complete open source authentication solution for Next.js applications. In affected versions an attacker can send a request to an app using NextAuth.js with an invalid callbackUrl query parameter, which internally is converted to a URL object. The URL instantiation would fail due to a malformed URL being passed into the constructor, causing it to throw an unhandled error which led to the API route handler timing out and logging in to fail. This has been remedied in versions 3.29.5 and 4.5.0. If for some reason you cannot upgrade, the workaround requires you to rely on Advanced Initialization. Please see the documentation for more.

Ссылки

https://github.com/nextauthjs/next-auth/commit/25517b73153332d948114bacdff3b5908de91d85
Patch
Third Party Advisory
https://github.com/nextauthjs/next-auth/commit/e498483b23273d1bfc81be68339607f88d411bd6
Patch
Third Party Advisory
https://github.com/nextauthjs/next-auth/security/advisories/GHSA-g5fm-jp9v-2432
Mitigation
Third Party Advisory
https://next-auth.js.org/configuration/initialization#advanced-initialization
Vendor Advisory
https://github.com/nextauthjs/next-auth/commit/25517b73153332d948114bacdff3b5908de91d85
Patch
Third Party Advisory
https://github.com/nextauthjs/next-auth/commit/e498483b23273d1bfc81be68339607f88d411bd6
Patch
Third Party Advisory
https://github.com/nextauthjs/next-auth/security/advisories/GHSA-g5fm-jp9v-2432
Mitigation
Third Party Advisory
https://next-auth.js.org/configuration/initialization#advanced-initialization
Vendor Advisory

Уязвимые конфигурации

Конфигурация 1

Одно из

cpe:2.3:a:nextauth.js:next-auth:*:*:*:*:*:node.js:*:*

Версия от 3.0.0 (включая) до 3.29.5 (исключая)

cpe:2.3:a:nextauth.js:next-auth:*:*:*:*:*:node.js:*:*

Версия от 4.0.0 (включая) до 4.5.0 (исключая)

EPSS

Процентиль: 75%

0.00864

Низкий

7.5 High

CVSS3

5 Medium

CVSS2

Дефекты

CWE-754

Связанные уязвимости

GHSA-g5fm-jp9v-2432