GSD-2022-31093

Vulnerability from gsd - Updated: 2023-12-13 01:19
Details
NextAuth.js is a complete open source authentication solution for Next.js applications. In affected versions an attacker can send a request to an app using NextAuth.js with an invalid `callbackUrl` query parameter, which internally is converted to a `URL` object. The URL instantiation would fail due to a malformed URL being passed into the constructor, causing it to throw an unhandled error which led to the **API route handler timing out and logging in to fail**. This has been remedied in versions 3.29.5 and 4.5.0. If for some reason you cannot upgrade, the workaround requires you to rely on Advanced Initialization. Please see the documentation for more.
Aliases
Aliases
CVE-2022-31093
To clipboard 

{
  "GSD": {
    "alias": "CVE-2022-31093",
    "description": "NextAuth.js is a complete open source authentication solution for Next.js applications. In affected versions an attacker can send a request to an app using NextAuth.js with an invalid `callbackUrl` query parameter, which internally is converted to a `URL` object. The URL instantiation would fail due to a malformed URL being passed into the constructor, causing it to throw an unhandled error which led to the **API route handler timing out and logging in to fail**. This has been remedied in versions 3.29.5 and 4.5.0. If for some reason you cannot upgrade, the workaround requires you to rely on Advanced Initialization. Please see the documentation for more.",
    "id": "GSD-2022-31093"
  },
  "gsd": {
    "metadata": {
      "exploitCode": "unknown",
      "remediation": "unknown",
      "reportConfidence": "confirmed",
      "type": "vulnerability"
    },
    "osvSchema": {
      "aliases": [
        "CVE-2022-31093"
      ],
      "details": "NextAuth.js is a complete open source authentication solution for Next.js applications. In affected versions an attacker can send a request to an app using NextAuth.js with an invalid `callbackUrl` query parameter, which internally is converted to a `URL` object. The URL instantiation would fail due to a malformed URL being passed into the constructor, causing it to throw an unhandled error which led to the **API route handler timing out and logging in to fail**. This has been remedied in versions 3.29.5 and 4.5.0. If for some reason you cannot upgrade, the workaround requires you to rely on Advanced Initialization. Please see the documentation for more.",
      "id": "GSD-2022-31093",
      "modified": "2023-12-13T01:19:17.787397Z",
      "schema_version": "1.4.0"
    }
  },
  "namespaces": {
    "cve.org": {
      "CVE_data_meta": {
        "ASSIGNER": "security-advisories@github.com",
        "ID": "CVE-2022-31093",
        "STATE": "PUBLIC",
        "TITLE": "Improper Handling of `callbackUrl` parameter in next-auth"
      },
      "affects": {
        "vendor": {
          "vendor_data": [
            {
              "product": {
                "product_data": [
                  {
                    "product_name": "next-auth",
                    "version": {
                      "version_data": [
                        {
                          "version_value": "\u003c 3.29.5"
                        },
                        {
                          "version_value": "\u003e= 4.0.0, \u003c 4.5.0"
                        }
                      ]
                    }
                  }
                ]
              },
              "vendor_name": "nextauthjs"
            }
          ]
        }
      },
      "data_format": "MITRE",
      "data_type": "CVE",
      "data_version": "4.0",
      "description": {
        "description_data": [
          {
            "lang": "eng",
            "value": "NextAuth.js is a complete open source authentication solution for Next.js applications. In affected versions an attacker can send a request to an app using NextAuth.js with an invalid `callbackUrl` query parameter, which internally is converted to a `URL` object. The URL instantiation would fail due to a malformed URL being passed into the constructor, causing it to throw an unhandled error which led to the **API route handler timing out and logging in to fail**. This has been remedied in versions 3.29.5 and 4.5.0. If for some reason you cannot upgrade, the workaround requires you to rely on Advanced Initialization. Please see the documentation for more."
          }
        ]
      },
      "impact": {
        "cvss": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "HIGH",
          "baseScore": 7.5,
          "baseSeverity": "HIGH",
          "confidentialityImpact": "NONE",
          "integrityImpact": "NONE",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
          "version": "3.1"
        }
      },
      "problemtype": {
        "problemtype_data": [
          {
            "description": [
              {
                "lang": "eng",
                "value": "CWE-754: Improper Check for Unusual or Exceptional Conditions"
              }
            ]
          }
        ]
      },
      "references": {
        "reference_data": [
          {
            "name": "https://github.com/nextauthjs/next-auth/security/advisories/GHSA-g5fm-jp9v-2432",
            "refsource": "CONFIRM",
            "url": "https://github.com/nextauthjs/next-auth/security/advisories/GHSA-g5fm-jp9v-2432"
          },
          {
            "name": "https://github.com/nextauthjs/next-auth/commit/25517b73153332d948114bacdff3b5908de91d85",
            "refsource": "MISC",
            "url": "https://github.com/nextauthjs/next-auth/commit/25517b73153332d948114bacdff3b5908de91d85"
          },
          {
            "name": "https://github.com/nextauthjs/next-auth/commit/e498483b23273d1bfc81be68339607f88d411bd6",
            "refsource": "MISC",
            "url": "https://github.com/nextauthjs/next-auth/commit/e498483b23273d1bfc81be68339607f88d411bd6"
          },
          {
            "name": "https://next-auth.js.org/configuration/initialization#advanced-initialization",
            "refsource": "MISC",
            "url": "https://next-auth.js.org/configuration/initialization#advanced-initialization"
          }
        ]
      },
      "source": {
        "advisory": "GHSA-g5fm-jp9v-2432",
        "discovery": "UNKNOWN"
      }
    },
    "gitlab.com": {
      "advisories": [
        {
          "affected_range": "\u003e=3.0.0 \u003c3.29.5||\u003e=4.0.0 \u003c4.5.0",
          "affected_versions": "All versions starting from 3.0.0 before 3.29.5, all versions starting from 4.0.0 before 4.5.0",
          "cvss_v2": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
          "cvss_v3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
          "cwe_ids": [
            "CWE-1035",
            "CWE-754",
            "CWE-937"
          ],
          "date": "2022-07-07",
          "description": "NextAuth.js is a complete open source authentication solution for Next.js applications. In affected versions an attacker can send a request to an app using NextAuth.js with an invalid `callbackUrl` query parameter, which internally is converted to a `URL` object. The URL instantiation would fail due to a malformed URL being passed into the constructor, causing it to throw an unhandled error which led to the **API route handler timing out and logging in to fail**. This has been remedied in versions 3.29.5 and 4.5.0. If for some reason you cannot upgrade, the workaround requires you to rely on Advanced Initialization. Please see the documentation for more.",
          "fixed_versions": [
            "3.29.5",
            "4.5.0"
          ],
          "identifier": "CVE-2022-31093",
          "identifiers": [
            "CVE-2022-31093",
            "GHSA-g5fm-jp9v-2432",
            "GMS-2022-2609"
          ],
          "not_impacted": "All versions before 3.0.0, all versions starting from 3.29.5 before 4.0.0, all versions starting from 4.5.0",
          "package_slug": "npm/next-auth",
          "pubdate": "2022-06-27",
          "solution": "Upgrade to versions 3.29.5, 4.5.0 or above.",
          "title": "Improper Check for Unusual or Exceptional Conditions",
          "urls": [
            "https://nvd.nist.gov/vuln/detail/CVE-2022-31093",
            "https://github.com/nextauthjs/next-auth/commit/25517b73153332d948114bacdff3b5908de91d85",
            "https://github.com/nextauthjs/next-auth/commit/e498483b23273d1bfc81be68339607f88d411bd6",
            "https://next-auth.js.org/configuration/initialization#advanced-initialization",
            "https://github.com/nextauthjs/next-auth/security/advisories/GHSA-g5fm-jp9v-2432",
            "https://github.com/advisories/GHSA-g5fm-jp9v-2432"
          ],
          "uuid": "108d507c-1828-49a5-8e53-0f8d1dc89032"
        },
        {
          "affected_range": "\u003c0",
          "affected_versions": "All versions before 3.29.5, all versions starting from 4.0.0 before 4.5.0",
          "cwe_ids": [
            "CWE-1035",
            "CWE-937"
          ],
          "date": "2022-06-22",
          "description": "An attacker can send a request to an app using NextAuth.js with an invalid `callbackUrl` query parameter, which internally we convert to a `URL` object.",
          "fixed_versions": [
            "3.29.5",
            "4.5.0"
          ],
          "identifier": "GMS-2022-2609",
          "identifiers": [
            "GHSA-g5fm-jp9v-2432",
            "GMS-2022-2609",
            "CVE-2022-31093"
          ],
          "not_impacted": "All versions starting from 3.29.5 before 4.0.0, all versions starting from 4.5.0",
          "package_slug": "npm/next-auth",
          "pubdate": "2022-06-21",
          "solution": "Upgrade to versions 3.29.5, 4.5.0 or above.",
          "title": "Duplicate of ./npm/next-auth/CVE-2022-31093.yml",
          "urls": [
            "https://github.com/nextauthjs/next-auth/security/advisories/GHSA-g5fm-jp9v-2432",
            "https://github.com/advisories/GHSA-g5fm-jp9v-2432"
          ],
          "uuid": "6cd7fb27-b1a2-4765-ad5c-fed0964803a2"
        }
      ]
    },
    "nvd.nist.gov": {
      "configurations": {
        "CVE_data_version": "4.0",
        "nodes": [
          {
            "children": [],
            "cpe_match": [
              {
                "cpe23Uri": "cpe:2.3:a:nextauth.js:next-auth:*:*:*:*:*:node.js:*:*",
                "cpe_name": [],
                "versionEndExcluding": "4.5.0",
                "versionStartIncluding": "4.0.0",
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:nextauth.js:next-auth:*:*:*:*:*:node.js:*:*",
                "cpe_name": [],
                "versionEndExcluding": "3.29.5",
                "versionStartIncluding": "3.0.0",
                "vulnerable": true
              }
            ],
            "operator": "OR"
          }
        ]
      },
      "cve": {
        "CVE_data_meta": {
          "ASSIGNER": "security-advisories@github.com",
          "ID": "CVE-2022-31093"
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "en",
              "value": "NextAuth.js is a complete open source authentication solution for Next.js applications. In affected versions an attacker can send a request to an app using NextAuth.js with an invalid `callbackUrl` query parameter, which internally is converted to a `URL` object. The URL instantiation would fail due to a malformed URL being passed into the constructor, causing it to throw an unhandled error which led to the **API route handler timing out and logging in to fail**. This has been remedied in versions 3.29.5 and 4.5.0. If for some reason you cannot upgrade, the workaround requires you to rely on Advanced Initialization. Please see the documentation for more."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "en",
                  "value": "CWE-754"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://github.com/nextauthjs/next-auth/commit/25517b73153332d948114bacdff3b5908de91d85",
              "refsource": "MISC",
              "tags": [
                "Patch",
                "Third Party Advisory"
              ],
              "url": "https://github.com/nextauthjs/next-auth/commit/25517b73153332d948114bacdff3b5908de91d85"
            },
            {
              "name": "https://github.com/nextauthjs/next-auth/commit/e498483b23273d1bfc81be68339607f88d411bd6",
              "refsource": "MISC",
              "tags": [
                "Patch",
                "Third Party Advisory"
              ],
              "url": "https://github.com/nextauthjs/next-auth/commit/e498483b23273d1bfc81be68339607f88d411bd6"
            },
            {
              "name": "https://next-auth.js.org/configuration/initialization#advanced-initialization",
              "refsource": "MISC",
              "tags": [
                "Vendor Advisory"
              ],
              "url": "https://next-auth.js.org/configuration/initialization#advanced-initialization"
            },
            {
              "name": "https://github.com/nextauthjs/next-auth/security/advisories/GHSA-g5fm-jp9v-2432",
              "refsource": "CONFIRM",
              "tags": [
                "Mitigation",
                "Third Party Advisory"
              ],
              "url": "https://github.com/nextauthjs/next-auth/security/advisories/GHSA-g5fm-jp9v-2432"
            }
          ]
        }
      },
      "impact": {
        "baseMetricV2": {
          "acInsufInfo": false,
          "cvssV2": {
            "accessComplexity": "LOW",
            "accessVector": "NETWORK",
            "authentication": "NONE",
            "availabilityImpact": "PARTIAL",
            "baseScore": 5.0,
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
            "version": "2.0"
          },
          "exploitabilityScore": 10.0,
          "impactScore": 2.9,
          "obtainAllPrivilege": false,
          "obtainOtherPrivilege": false,
          "obtainUserPrivilege": false,
          "severity": "MEDIUM",
          "userInteractionRequired": false
        },
        "baseMetricV3": {
          "cvssV3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.1"
          },
          "exploitabilityScore": 3.9,
          "impactScore": 3.6
        }
      },
      "lastModifiedDate": "2022-07-07T19:45Z",
      "publishedDate": "2022-06-27T22:15Z"
    }
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.