Veracode Vulnerability DatabaseVERACODE:36078Command Injection
7.5 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
5 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:N/I:N/A:P
0.001 Low
EPSS
Percentile
27.3%
next-auth is vulnerable to command injection. The vulnerability exists in the assertConfig in assert.ts due to improper handling of user input which allows malicious attacker to inject and execute arbitrary commands.
References
github.com/advisories/GHSA-g5fm-jp9v-2432
github.com/nextauthjs/next-auth/commit/25517b73153332d948114bacdff3b5908de91d85
github.com/nextauthjs/next-auth/commit/49a8d51f79683edb6110a940764bc53e288e5294
github.com/nextauthjs/next-auth/commit/e498483b23273d1bfc81be68339607f88d411bd6
github.com/nextauthjs/next-auth/issues/4700
github.com/nextauthjs/next-auth/security/advisories/GHSA-g5fm-jp9v-2432
next-auth.js.org/configuration/initialization#advanced-initialization
Related
7.5 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
5 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:N/I:N/A:P
0.001 Low
EPSS
Percentile
27.3%