CVE-2022-35924

{"id": "CVE-2022-35924", "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.1, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 5.2, "exploitabilityScore": 3.9}, {"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.1, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 5.2, "exploitabilityScore": 3.9}]}, "published": "2022-08-02T18:15:08.893", "references": [{"url": "https://en.wikipedia.org/wiki/Email_address#Local-part", "tags": ["Third Party Advisory"], "source": "security-advisories@github.com"}, {"url": "https://github.com/nextauthjs/next-auth/commit/afb1fcdae3cc30445038ef588e491d139b916003", "tags": ["Patch", "Third Party Advisory"], "source": "security-advisories@github.com"}, {"url": "https://github.com/nextauthjs/next-auth/security/advisories/GHSA-xv97-c62v-4587", "tags": ["Mitigation", "Third Party Advisory"], "source": "security-advisories@github.com"}, {"url": "https://next-auth.js.org/configuration/callbacks#sign-in-callback", "tags": ["Vendor Advisory"], "source": "security-advisories@github.com"}, {"url": "https://next-auth.js.org/configuration/initialization#advanced-initialization", "tags": ["Vendor Advisory"], "source": "security-advisories@github.com"}, {"url": "https://next-auth.js.org/providers/email", "tags": ["Vendor Advisory"], "source": "security-advisories@github.com"}, {"url": "https://next-auth.js.org/providers/email#normalizing-the-e-mail-address", "tags": ["Vendor Advisory"], "source": "security-advisories@github.com"}, {"url": "https://nodemailer.com/message/addresses", "tags": ["Third Party Advisory"], "source": "security-advisories@github.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-863"}]}, {"type": "Secondary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-20"}]}], "descriptions": [{"lang": "en", "value": "NextAuth.js is a complete open source authentication solution for Next.js applications. `next-auth` users who are using the `EmailProvider` either in versions before `4.10.3` or `3.29.10` are affected. If an attacker could forge a request that sent a comma-separated list of emails (eg.: `attacker@attacker.com,victim@victim.com`) to the sign-in endpoint, NextAuth.js would send emails to both the attacker and the victim's e-mail addresses. The attacker could then login as a newly created user with the email being `attacker@attacker.com,victim@victim.com`. This means that basic authorization like `email.endsWith(\"@victim.com\")` in the `signIn` callback would fail to communicate a threat to the developer and would let the attacker bypass authorization, even with an `@attacker.com` address. This vulnerability has been patched in `v4.10.3` and `v3.29.10` by normalizing the email value that is sent to the sign-in endpoint before accessing it anywhere else. We also added a `normalizeIdentifier` callback on the `EmailProvider` configuration, where you can further tweak your requirements for what your system considers a valid e-mail address. (E.g.: strict RFC2821 compliance). Users are advised to upgrade. There are no known workarounds for this vulnerability. If for some reason you cannot upgrade, you can normalize the incoming request using Advanced Initialization."}, {"lang": "es", "value": "NextAuth.js es una completa soluci\u00f3n de autenticaci\u00f3n de c\u00f3digo abierto para aplicaciones Next.js. Los usuarios de \"next-auth\" que usan el \"EmailProvider\" en versiones anteriores a \"4.10.3\" o \"3.29.10\" est\u00e1n afectados. Si un atacante pudiera falsificar una petici\u00f3n que enviara una lista de correos electr\u00f3nicos separados por comas (por ejemplo: \"attacker@attacker.com,victim@victim.com\") al endpoint de inicio de sesi\u00f3n, NextAuth.js enviar\u00eda correos electr\u00f3nicos tanto al atacante como a las direcciones de correo electr\u00f3nico de la v\u00edctima. El atacante podr\u00eda entonces iniciar sesi\u00f3n como un usuario reci\u00e9n creado con el correo electr\u00f3nico \"attacker@attacker.com,victim@victim.com\". Esto significa que una autorizaci\u00f3n b\u00e1sica como \"email.endsWith(\"@v\u00edctima.com\")\" en la llamada de retorno \"signIn\" no comunicar\u00eda una amenaza al desarrollador y permitir\u00eda al atacante saltarse la autorizaci\u00f3n, incluso con una direcci\u00f3n \"@atacante.com\". Esta vulnerabilidad ha sido parcheada en versiones \"v4.10.3\" y \"v3.29.10\" al normalizar el valor del correo electr\u00f3nico que es enviado al punto final de inicio de sesi\u00f3n antes de acceder a \u00e9l en cualquier otro lugar. Tambi\u00e9n hemos a\u00f1adido una llamada de retorno \"normalizeIdentifier\" en la configuraci\u00f3n de \"EmailProvider\", donde puedes ajustar a\u00fan m\u00e1s tus requisitos para lo que tu sistema considera una direcci\u00f3n de correo electr\u00f3nico v\u00e1lida. (Por ejemplo: cumplimiento estricto del RFC2821). Es recomendado a usuarios actualizar. No se presentan mitigaciones conocidas para esta vulnerabilidad. Si por alguna raz\u00f3n no puede actualizar, puede normalizar la petici\u00f3n entrante usando la Inicializaci\u00f3n Avanzada"}], "lastModified": "2022-08-10T14:56:33.857", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:nextauth.js:next-auth:*:*:*:*:*:node.js:*:*", "vulnerable": true, "matchCriteriaId": "97098DFC-AC04-4EAE-862A-92C6447A0520", "versionEndExcluding": "3.29.10"}, {"criteria": "cpe:2.3:a:nextauth.js:next-auth:*:*:*:*:*:node.js:*:*", "vulnerable": true, "matchCriteriaId": "5D61C7D4-4D8C-471E-A49D-2ACA7E6A8B03", "versionEndExcluding": "4.10.3", "versionStartIncluding": "4.0.0"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}