CVE-2024-22206 @clerk/nextjs auth() and getAuth() methods vulnerable to insecure direct object reference (IDOR)

2024-01-1220:07:40

CWE-284

CWE-287

CWE-639

GitHub_M

www.cve.org

clerk security vulnerability

user management

insecure direct object reference

logic flaw

authorization

privilege escalation

patched vulnerability

9 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H

9.8 High

AI Score

Confidence

High

0.001 Low

EPSS

Percentile

28.7%

JSON

Clerk helps developers build user management. Unauthorized access or privilege escalation due to a logic flaw in auth() in the App Router or getAuth() in the Pages Router. This vulnerability was patched in version 4.29.3.

CNA Affected

[
  {
    "vendor": "clerk",
    "product": "javascript",
    "versions": [
      {
        "version": ">= 4.7.0, < 4.29.3",
        "status": "affected"
      }
    ]
  }
]