{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2023-48309", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2023-11-14T17:41:15.572Z", "datePublished": "2023-11-20T18:25:01.896Z", "dateUpdated": "2024-08-29T13:41:03.796Z"}, "containers": {"cna": {"title": "next-auth vulnerable to possible user mocking that bypasses basic authentication", "problemTypes": [{"descriptions": [{"cweId": "CWE-285", "lang": "en", "description": "CWE-285: Improper Authorization", "type": "CWE"}]}, {"descriptions": [{"cweId": "CWE-863", "lang": "en", "description": "CWE-863: Incorrect Authorization", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/nextauthjs/next-auth/security/advisories/GHSA-v64w-49xw-qq89", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/nextauthjs/next-auth/security/advisories/GHSA-v64w-49xw-qq89"}, {"name": "https://github.com/nextauthjs/next-auth/commit/d237059b6d0cb868c041ba18b698e0cee20a2f10", "tags": ["x_refsource_MISC"], "url": "https://github.com/nextauthjs/next-auth/commit/d237059b6d0cb868c041ba18b698e0cee20a2f10"}, {"name": "https://authjs.dev/guides/basics/role-based-access-control", "tags": ["x_refsource_MISC"], "url": "https://authjs.dev/guides/basics/role-based-access-control"}, {"name": "https://next-auth.js.org/configuration/nextjs#advanced-usage", "tags": ["x_refsource_MISC"], "url": "https://next-auth.js.org/configuration/nextjs#advanced-usage"}, {"name": "https://next-auth.js.org/configuration/nextjs#middlewar", "tags": ["x_refsource_MISC"], "url": "https://next-auth.js.org/configuration/nextjs#middlewar"}], "affected": [{"vendor": "nextauthjs", "product": "next-auth", "versions": [{"version": "< 4.24.5", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2023-11-20T18:25:01.896Z"}, "descriptions": [{"lang": "en", "value": "NextAuth.js provides authentication for Next.js. `next-auth` applications prior to version 4.24.5 that rely on the default Middleware authorization are affected by a vulnerability. A bad actor could create an empty/mock user, by getting hold of a NextAuth.js-issued JWT from an interrupted OAuth sign-in flow (state, PKCE or nonce). Manually overriding the `next-auth.session-token` cookie value with this non-related JWT would let the user simulate a logged in user, albeit having no user information associated with it. (The only property on this user is an opaque randomly generated string). This vulnerability does not give access to other users' data, neither to resources that require proper authorization via scopes or other means. The created mock user has no information associated with it (ie. no name, email, access_token, etc.) This vulnerability can be exploited by bad actors to peek at logged in user states (e.g. dashboard layout). `next-auth` `v4.24.5` contains a patch for the vulnerability. As a workaround, using a custom authorization callback for Middleware, developers can manually do a basic authentication."}], "source": {"advisory": "GHSA-v64w-49xw-qq89", "discovery": "UNKNOWN"}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T21:23:39.608Z"}, "title": "CVE Program Container", "references": [{"name": "https://github.com/nextauthjs/next-auth/security/advisories/GHSA-v64w-49xw-qq89", "tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://github.com/nextauthjs/next-auth/security/advisories/GHSA-v64w-49xw-qq89"}, {"name": "https://github.com/nextauthjs/next-auth/commit/d237059b6d0cb868c041ba18b698e0cee20a2f10", "tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/nextauthjs/next-auth/commit/d237059b6d0cb868c041ba18b698e0cee20a2f10"}, {"name": "https://authjs.dev/guides/basics/role-based-access-control", "tags": ["x_refsource_MISC", "x_transferred"], "url": "https://authjs.dev/guides/basics/role-based-access-control"}, {"name": "https://next-auth.js.org/configuration/nextjs#advanced-usage", "tags": ["x_refsource_MISC", "x_transferred"], "url": "https://next-auth.js.org/configuration/nextjs#advanced-usage"}, {"name": "https://next-auth.js.org/configuration/nextjs#middlewar", "tags": ["x_refsource_MISC", "x_transferred"], "url": "https://next-auth.js.org/configuration/nextjs#middlewar"}]}, {"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2024-08-29T13:40:21.107207Z", "id": "CVE-2023-48309", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-08-29T13:41:03.796Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://github.com/nextauthjs/next-auth/security/advisories/GHSA-v64w-49xw-qq89", "name": "https://github.com/nextauthjs/next-auth/security/advisories/GHSA-v64w-49xw-qq89", "tags": ["x_refsource_CONFIRM", "x_transferred"]}, {"url": "https://github.com/nextauthjs/next-auth/commit/d237059b6d0cb868c041ba18b698e0cee20a2f10", "name": "https://github.com/nextauthjs/next-auth/commit/d237059b6d0cb868c041ba18b698e0cee20a2f10", "tags": ["x_refsource_MISC", "x_transferred"]}, {"url": "https://authjs.dev/guides/basics/role-based-access-control", "name": "https://authjs.dev/guides/basics/role-based-access-control", "tags": ["x_refsource_MISC", "x_transferred"]}, {"url": "https://next-auth.js.org/configuration/nextjs#advanced-usage", "name": "https://next-auth.js.org/configuration/nextjs#advanced-usage", "tags": ["x_refsource_MISC", "x_transferred"]}, {"url": "https://next-auth.js.org/configuration/nextjs#middlewar", "name": "https://next-auth.js.org/configuration/nextjs#middlewar", "tags": ["x_refsource_MISC", "x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T21:23:39.608Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2023-48309", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-08-29T13:40:21.107207Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-08-29T13:40:58.039Z"}}], "cna": {"title": "next-auth vulnerable to possible user mocking that bypasses basic authentication", "source": {"advisory": "GHSA-v64w-49xw-qq89", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}}], "affected": [{"vendor": "nextauthjs", "product": "next-auth", "versions": [{"status": "affected", "version": "< 4.24.5"}]}], "references": [{"url": "https://github.com/nextauthjs/next-auth/security/advisories/GHSA-v64w-49xw-qq89", "name": "https://github.com/nextauthjs/next-auth/security/advisories/GHSA-v64w-49xw-qq89", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/nextauthjs/next-auth/commit/d237059b6d0cb868c041ba18b698e0cee20a2f10", "name": "https://github.com/nextauthjs/next-auth/commit/d237059b6d0cb868c041ba18b698e0cee20a2f10", "tags": ["x_refsource_MISC"]}, {"url": "https://authjs.dev/guides/basics/role-based-access-control", "name": "https://authjs.dev/guides/basics/role-based-access-control", "tags": ["x_refsource_MISC"]}, {"url": "https://next-auth.js.org/configuration/nextjs#advanced-usage", "name": "https://next-auth.js.org/configuration/nextjs#advanced-usage", "tags": ["x_refsource_MISC"]}, {"url": "https://next-auth.js.org/configuration/nextjs#middlewar", "name": "https://next-auth.js.org/configuration/nextjs#middlewar", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "NextAuth.js provides authentication for Next.js. `next-auth` applications prior to version 4.24.5 that rely on the default Middleware authorization are affected by a vulnerability. A bad actor could create an empty/mock user, by getting hold of a NextAuth.js-issued JWT from an interrupted OAuth sign-in flow (state, PKCE or nonce). Manually overriding the `next-auth.session-token` cookie value with this non-related JWT would let the user simulate a logged in user, albeit having no user information associated with it. (The only property on this user is an opaque randomly generated string). This vulnerability does not give access to other users' data, neither to resources that require proper authorization via scopes or other means. The created mock user has no information associated with it (ie. no name, email, access_token, etc.) This vulnerability can be exploited by bad actors to peek at logged in user states (e.g. dashboard layout). `next-auth` `v4.24.5` contains a patch for the vulnerability. As a workaround, using a custom authorization callback for Middleware, developers can manually do a basic authentication."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-285", "description": "CWE-285: Improper Authorization"}]}, {"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-863", "description": "CWE-863: Incorrect Authorization"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2023-11-20T18:25:01.896Z"}}}, "cveMetadata": {"cveId": "CVE-2023-48309", "state": "PUBLISHED", "dateUpdated": "2024-08-29T13:41:03.796Z", "dateReserved": "2023-11-14T17:41:15.572Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2023-11-20T18:25:01.896Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:nextauth.js:next-auth:*:*:*:*:*:node.js:*:*", "matchCriteriaId": "A8790D4B-02DD-46E6-84FA-B1BA7F1C94E9", "versionEndExcluding": "4.24.5", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "NextAuth.js provides authentication for Next.js. `next-auth` applications prior to version 4.24.5 that rely on the default Middleware authorization are affected by a vulnerability. A bad actor could create an empty/mock user, by getting hold of a NextAuth.js-issued JWT from an interrupted OAuth sign-in flow (state, PKCE or nonce). Manually overriding the `next-auth.session-token` cookie value with this non-related JWT would let the user simulate a logged in user, albeit having no user information associated with it. (The only property on this user is an opaque randomly generated string). This vulnerability does not give access to other users' data, neither to resources that require proper authorization via scopes or other means. The created mock user has no information associated with it (ie. no name, email, access_token, etc.) This vulnerability can be exploited by bad actors to peek at logged in user states (e.g. dashboard layout). `next-auth` `v4.24.5` contains a patch for the vulnerability. As a workaround, using a custom authorization callback for Middleware, developers can manually do a basic authentication."}, {"lang": "es", "value": "NextAuth.js proporciona autenticaci\u00f3n para Next.js. Las aplicaciones `next-auth` anteriores a la versi\u00f3n 4.24.5 que dependen de la autorizaci\u00f3n de Middleware predeterminada se ven afectadas por una vulnerabilidad. Un mal actor podr\u00eda crear un usuario vac\u00edo/simulado al obtener un JWT emitido por NextAuth.js a partir de un flujo de inicio de sesi\u00f3n de OAuth interrumpido (estado, PKCE o nonce). Anular manualmente el valor de la cookie `next-auth.session-token` con este JWT no relacionado permitir\u00eda al usuario simular un usuario que ha iniciado sesi\u00f3n, aunque no tenga informaci\u00f3n de usuario asociada. (La \u00fanica propiedad de este usuario es una cadena opaca generada aleatoriamente). Esta vulnerabilidad no da acceso a los datos de otros usuarios, ni a recursos que requieran la autorizaci\u00f3n adecuada a trav\u00e9s de alcances u otros medios. El usuario simulado creado no tiene informaci\u00f3n asociada (es decir, no tiene nombre, correo electr\u00f3nico, token de acceso, etc.). Los malos actores pueden aprovechar esta vulnerabilidad para echar un vistazo a los estados de los usuarios que han iniciado sesi\u00f3n (por ejemplo, el dise\u00f1o del panel). `next-auth` `v4.24.5` contiene un parche para la vulnerabilidad. Como workaround, al utilizar una devoluci\u00f3n de llamada de autorizaci\u00f3n personalizada para Middleware, los desarrolladores pueden realizar manualmente una autenticaci\u00f3n b\u00e1sica."}], "id": "CVE-2023-48309", "lastModified": "2024-11-21T08:31:27.620", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "[email protected]", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "[email protected]", "type": "Primary"}]}, "published": "2023-11-20T19:15:09.243", "references": [{"source": "[email protected]", "tags": ["Technical Description"], "url": "https://authjs.dev/guides/basics/role-based-access-control"}, {"source": "[email protected]", "tags": ["Patch"], "url": "https://github.com/nextauthjs/next-auth/commit/d237059b6d0cb868c041ba18b698e0cee20a2f10"}, {"source": "[email protected]", "tags": ["Vendor Advisory"], "url": "https://github.com/nextauthjs/next-auth/security/advisories/GHSA-v64w-49xw-qq89"}, {"source": "[email protected]", "tags": ["Technical Description"], "url": "https://next-auth.js.org/configuration/nextjs#advanced-usage"}, {"source": "[email protected]", "tags": ["Technical Description"], "url": "https://next-auth.js.org/configuration/nextjs#middlewar"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Technical Description"], "url": "https://authjs.dev/guides/basics/role-based-access-control"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch"], "url": "https://github.com/nextauthjs/next-auth/commit/d237059b6d0cb868c041ba18b698e0cee20a2f10"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Vendor Advisory"], "url": "https://github.com/nextauthjs/next-auth/security/advisories/GHSA-v64w-49xw-qq89"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Technical Description"], "url": "https://next-auth.js.org/configuration/nextjs#advanced-usage"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Technical Description"], "url": "https://next-auth.js.org/configuration/nextjs#middlewar"}], "sourceIdentifier": "[email protected]", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-285"}, {"lang": "en", "value": "CWE-863"}], "source": "[email protected]", "type": "Secondary"}]}

{}