CVE-2023-48309 - OpenCVE

Vendors	Products
Nextauth.js	Next-auth

Link	Resource
https://authjs.dev/guides/basics/role-based-access-control	Technical Description
https://github.com/nextauthjs/next-auth/commit/d237059b6d0cb868c041ba18b698e0cee20a2f10	Patch
https://github.com/nextauthjs/next-auth/security/advisories/GHSA-v64w-49xw-qq89	Vendor Advisory
https://next-auth.js.org/configuration/nextjs#advanced-usage	Technical Description
https://next-auth.js.org/configuration/nextjs#middlewar	Technical Description

{"dataType": "CVE_RECORD", "dataVersion": "5.0", "cveMetadata": {"cveId": "CVE-2023-48309", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2023-11-14T17:41:15.572Z", "datePublished": "2023-11-20T18:25:01.896Z", "dateUpdated": "2023-11-20T18:25:01.896Z"}, "containers": {"cna": {"title": "next-auth vulnerable to possible user mocking that bypasses basic authentication", "problemTypes": [{"descriptions": [{"cweId": "CWE-285", "lang": "en", "description": "CWE-285: Improper Authorization", "type": "CWE"}]}, {"descriptions": [{"cweId": "CWE-863", "lang": "en", "description": "CWE-863: Incorrect Authorization", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/nextauthjs/next-auth/security/advisories/GHSA-v64w-49xw-qq89", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/nextauthjs/next-auth/security/advisories/GHSA-v64w-49xw-qq89"}, {"name": "https://github.com/nextauthjs/next-auth/commit/d237059b6d0cb868c041ba18b698e0cee20a2f10", "tags": ["x_refsource_MISC"], "url": "https://github.com/nextauthjs/next-auth/commit/d237059b6d0cb868c041ba18b698e0cee20a2f10"}, {"name": "https://authjs.dev/guides/basics/role-based-access-control", "tags": ["x_refsource_MISC"], "url": "https://authjs.dev/guides/basics/role-based-access-control"}, {"name": "https://next-auth.js.org/configuration/nextjs#advanced-usage", "tags": ["x_refsource_MISC"], "url": "https://next-auth.js.org/configuration/nextjs#advanced-usage"}, {"name": "https://next-auth.js.org/configuration/nextjs#middlewar", "tags": ["x_refsource_MISC"], "url": "https://next-auth.js.org/configuration/nextjs#middlewar"}], "affected": [{"vendor": "nextauthjs", "product": "next-auth", "versions": [{"version": "< 4.24.5", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2023-11-20T18:25:01.896Z"}, "descriptions": [{"lang": "en", "value": "NextAuth.js provides authentication for Next.js. `next-auth` applications prior to version 4.24.5 that rely on the default Middleware authorization are affected by a vulnerability. A bad actor could create an empty/mock user, by getting hold of a NextAuth.js-issued JWT from an interrupted OAuth sign-in flow (state, PKCE or nonce). Manually overriding the `next-auth.session-token` cookie value with this non-related JWT would let the user simulate a logged in user, albeit having no user information associated with it. (The only property on this user is an opaque randomly generated string). This vulnerability does not give access to other users' data, neither to resources that require proper authorization via scopes or other means. The created mock user has no information associated with it (ie. no name, email, access_token, etc.) This vulnerability can be exploited by bad actors to peek at logged in user states (e.g. dashboard layout). `next-auth` `v4.24.5` contains a patch for the vulnerability. As a workaround, using a custom authorization callback for Middleware, developers can manually do a basic authentication."}], "source": {"advisory": "GHSA-v64w-49xw-qq89", "discovery": "UNKNOWN"}}}}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:nextauth.js:next-auth:*:*:*:*:*:node.js:*:*", "matchCriteriaId": "A8790D4B-02DD-46E6-84FA-B1BA7F1C94E9", "versionEndExcluding": "4.24.5", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "NextAuth.js provides authentication for Next.js. `next-auth` applications prior to version 4.24.5 that rely on the default Middleware authorization are affected by a vulnerability. A bad actor could create an empty/mock user, by getting hold of a NextAuth.js-issued JWT from an interrupted OAuth sign-in flow (state, PKCE or nonce). Manually overriding the `next-auth.session-token` cookie value with this non-related JWT would let the user simulate a logged in user, albeit having no user information associated with it. (The only property on this user is an opaque randomly generated string). This vulnerability does not give access to other users' data, neither to resources that require proper authorization via scopes or other means. The created mock user has no information associated with it (ie. no name, email, access_token, etc.) This vulnerability can be exploited by bad actors to peek at logged in user states (e.g. dashboard layout). `next-auth` `v4.24.5` contains a patch for the vulnerability. As a workaround, using a custom authorization callback for Middleware, developers can manually do a basic authentication."}, {"lang": "es", "value": "NextAuth.js proporciona autenticaci\u00f3n para Next.js. Las aplicaciones `next-auth` anteriores a la versi\u00f3n 4.24.5 que dependen de la autorizaci\u00f3n de Middleware predeterminada se ven afectadas por una vulnerabilidad. Un mal actor podr\u00eda crear un usuario vac\u00edo/simulado al obtener un JWT emitido por NextAuth.js a partir de un flujo de inicio de sesi\u00f3n de OAuth interrumpido (estado, PKCE o nonce). Anular manualmente el valor de la cookie `next-auth.session-token` con este JWT no relacionado permitir\u00eda al usuario simular un usuario que ha iniciado sesi\u00f3n, aunque no tenga informaci\u00f3n de usuario asociada. (La \u00fanica propiedad de este usuario es una cadena opaca generada aleatoriamente). Esta vulnerabilidad no da acceso a los datos de otros usuarios, ni a recursos que requieran la autorizaci\u00f3n adecuada a trav\u00e9s de alcances u otros medios. El usuario simulado creado no tiene informaci\u00f3n asociada (es decir, no tiene nombre, correo electr\u00f3nico, token de acceso, etc.). Los malos actores pueden aprovechar esta vulnerabilidad para echar un vistazo a los estados de los usuarios que han iniciado sesi\u00f3n (por ejemplo, el dise\u00f1o del panel). `next-auth` `v4.24.5` contiene un parche para la vulnerabilidad. Como workaround, al utilizar una devoluci\u00f3n de llamada de autorizaci\u00f3n personalizada para Middleware, los desarrolladores pueden realizar manualmente una autenticaci\u00f3n b\u00e1sica."}], "id": "CVE-2023-48309", "lastModified": "2023-11-25T02:18:34.320", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2023-11-20T19:15:09.243", "references": [{"source": "security-advisories@github.com", "tags": ["Technical Description"], "url": "https://authjs.dev/guides/basics/role-based-access-control"}, {"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/nextauthjs/next-auth/commit/d237059b6d0cb868c041ba18b698e0cee20a2f10"}, {"source": "security-advisories@github.com", "tags": ["Vendor Advisory"], "url": "https://github.com/nextauthjs/next-auth/security/advisories/GHSA-v64w-49xw-qq89"}, {"source": "security-advisories@github.com", "tags": ["Technical Description"], "url": "https://next-auth.js.org/configuration/nextjs#advanced-usage"}, {"source": "security-advisories@github.com", "tags": ["Technical Description"], "url": "https://next-auth.js.org/configuration/nextjs#middlewar"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-285"}, {"lang": "en", "value": "CWE-863"}], "source": "security-advisories@github.com", "type": "Primary"}]}

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact None

Availability Impact None

User Interaction None

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact None

Availability Impact None

User Interaction None

JSON object

JSON object

JSON object