CVE-2022-31127

{"id": "CVE-2022-31127", "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 4.3, "accessVector": "NETWORK", "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "authentication": "NONE", "integrityImpact": "PARTIAL", "accessComplexity": "MEDIUM", "availabilityImpact": "NONE", "confidentialityImpact": "NONE"}, "acInsufInfo": false, "impactScore": 2.9, "baseSeverity": "MEDIUM", "obtainAllPrivilege": false, "exploitabilityScore": 8.6, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": true}], "cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 6.1, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}, "impactScore": 2.7, "exploitabilityScore": 2.8}, {"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 7.1, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}, "impactScore": 3.7, "exploitabilityScore": 2.8}]}, "published": "2022-07-06T18:15:19.497", "references": [{"url": "https://github.com/nextauthjs/next-auth/commit/ae834f1e08a4a9915665eecb9479c74c6b039c9c", "tags": ["Patch", "Third Party Advisory"], "source": "security-advisories@github.com"}, {"url": "https://github.com/nextauthjs/next-auth/releases/tag/next-auth%40v4.9.0", "tags": ["Release Notes", "Third Party Advisory"], "source": "security-advisories@github.com"}, {"url": "https://github.com/nextauthjs/next-auth/security/advisories/GHSA-pgjx-7f9g-9463", "tags": ["Exploit", "Third Party Advisory"], "source": "security-advisories@github.com"}, {"url": "https://next-auth.js.org/getting-started/upgrade-v4", "tags": ["Vendor Advisory"], "source": "security-advisories@github.com"}, {"url": "https://next-auth.js.org/providers/email#customizing-emails", "tags": ["Vendor Advisory"], "source": "security-advisories@github.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-79"}]}], "descriptions": [{"lang": "en", "value": "NextAuth.js is a complete open source authentication solution for Next.js applications. An attacker can pass a compromised input to the e-mail [signin endpoint](https://next-auth.js.org/getting-started/rest-api#post-apiauthsigninprovider) that contains some malicious HTML, tricking the e-mail server to send it to the user, so they can perform a phishing attack. Eg.: `balazs@email.com, <a href=\"http://attacker.com\">Before signing in, claim your money!</a>`. This was previously sent to `balazs@email.com`, and the content of the email containing a link to the attacker's site was rendered in the HTML. This has been remedied in the following releases, by simply not rendering that e-mail in the HTML, since it should be obvious to the receiver what e-mail they used: next-auth v3 users before version 3.29.8 are impacted. (We recommend upgrading to v4, as v3 is considered unmaintained. next-auth v4 users before version 4.9.0 are impacted. If for some reason you cannot upgrade, the workaround requires you to sanitize the `email` parameter that is passed to `sendVerificationRequest` and rendered in the HTML. If you haven't created a custom `sendVerificationRequest`, you only need to upgrade. Otherwise, make sure to either exclude `email` from the HTML body or efficiently sanitize it."}, {"lang": "es", "value": "NextAuth.js es una completa soluci\u00f3n de autenticaci\u00f3n de c\u00f3digo abierto para aplicaciones Next.js. Un atacante puede pasar una entrada comprometida al correo electr\u00f3nico [signin endpoint](https://next-auth.js.org/getting-started/rest-api#post-apiauthsigninprovider) que contiene alg\u00fan HTML malicioso, enga\u00f1ando al servidor de correo electr\u00f3nico para que lo env\u00ede al usuario, y as\u00ed poder llevar a cabo un ataque de phishing. Eg.: \"balazs@email.com, (a href=\"http://attacker.com\")Before signing in, claim your money!(/a)\". Anteriormente era enviado a \"balazs@email.com\", y el contenido del correo electr\u00f3nico que conten\u00eda un enlace al sitio del atacante era renderizado en el HTML. Esto ha sido mitigado en las siguientes versiones, simplemente no renderizando ese correo electr\u00f3nico en el HTML, ya que deber\u00eda ser obvio para el receptor qu\u00e9 correo electr\u00f3nico fue usado: los usuarios de next-auth versiones v3 anteriores a 3.29.8 est\u00e1n afectados. (Recomendamos actualizar a la versi\u00f3n v4, ya que la versi\u00f3n v3 es considerada sin mantenimiento. Los usuarios de next-auth versiones v4 anteriores a 4.9.0 est\u00e1n afectados. Si por alguna raz\u00f3n no puedes actualizar, la mitigaci\u00f3n requiere que sea saneado el par\u00e1metro \"email\" que es pasado a \"sendVerificationRequest\" y es mostrado en el HTML. Si no has creado un \"sendVerificationRequest\" personalizado, s\u00f3lo tienes que actualizar. En caso contrario, aseg\u00farese de excluir \"email\" del cuerpo del HTML o de sanearlo eficazmente"}], "lastModified": "2022-07-14T14:31:06.403", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:nextauth.js:next-auth:*:*:*:*:*:node.js:*:*", "vulnerable": true, "matchCriteriaId": "D6D5F0DD-25B0-4A7E-9F90-04E6D3A910EE", "versionEndExcluding": "3.29.8"}, {"criteria": "cpe:2.3:a:nextauth.js:next-auth:*:*:*:*:*:node.js:*:*", "vulnerable": true, "matchCriteriaId": "F1463014-6B40-4A67-B484-F9102997C292", "versionEndExcluding": "4.9.0", "versionStartIncluding": "4.0.0"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}