CVE-2024-22206

Опубликовано: 12 янв. 2024

Источник: nvd

CVSS3: 9

CVSS3: 9.8

EPSS Низкий

Описание

Clerk helps developers build user management. Unauthorized access or privilege escalation due to a logic flaw in auth() in the App Router or getAuth() in the Pages Router. This vulnerability was patched in version 4.29.3.

Ссылки

https://clerk.com/changelog/2024-01-12
Release Notes
Vendor Advisory
https://github.com/clerk/javascript/releases/tag/%40clerk%2Fnextjs%404.29.3
Patch
Release Notes
https://github.com/clerk/javascript/security/advisories/GHSA-q6w5-jg5q-47vg
Patch
Vendor Advisory
https://clerk.com/changelog/2024-01-12
Release Notes
Vendor Advisory
https://github.com/clerk/javascript/releases/tag/%40clerk%2Fnextjs%404.29.3
Patch
Release Notes
https://github.com/clerk/javascript/security/advisories/GHSA-q6w5-jg5q-47vg
Patch
Vendor Advisory

Уязвимые конфигурации

Конфигурация 1

cpe:2.3:a:clerk:javascript:*:*:*:*:*:node.js:*:*

Версия от 4.7.0 (включая) до 4.29.3 (исключая)

EPSS

Процентиль: 49%

0.00264

Низкий

9 Critical

CVSS3

9.8 Critical

CVSS3

Дефекты

CWE-284

Связанные уязвимости

GHSA-q6w5-jg5q-47vg

CVSS3: 9

github

около 2 лет назад

@clerk/nextjs auth() and getAuth() methods vulnerable to insecure direct object reference (IDOR)

EPSS

Процентиль: 49%

0.00264

Низкий

9 Critical

CVSS3

9.8 Critical

CVSS3

Дефекты

CWE-284