CVE-2021-32702

The Auth0 Next.js SDK is a library for implementing user authentication in Next.js applications. Versions before and including `1.4.1` are vulnerable to reflected XSS. An attacker can execute arbitrary code by providing an XSS payload in the `error` query parameter which is then processed by the callback handler as an error message. You are affected by this vulnerability if you are using `@auth0/nextjs-auth0` version `1.4.1` or lower **unless** you are using custom error handling that does not return the error message in an HTML response. Upgrade to version `1.4.1` to resolve. The fix adds basic HTML escaping to the error message and it should not impact your users.

CVSS v3 6.1 MEDIUM
CVSS v2.0 4.3 MEDIUM

6.1^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 2.8 / Impact : 2.7

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction REQUIRED

Confidentiality Impact LOW

Integrity Impact LOW

Availability Impact NONE

Scope CHANGED

4.3^/10

CVSS v2.0 : MEDIUM

Vector : AV:N/AC:M/Au:N/C:N/I:P/A:N

Exploitability : 8.6 / Impact : 2.9

Access Vector NETWORK

Access Complexity MEDIUM

Authentication NONE

Confidentiality Impact NONE

Integrity Impact PARTIAL

Availability Impact NONE

References

Link	Resource
https://github.com/auth0/nextjs-auth0/commit/6996e2528ceed98627caa28abafbc09e90163ccf	Patch Third Party Advisory
https://github.com/auth0/nextjs-auth0/security/advisories/GHSA-954c-jjx6-cxv7	Third Party Advisory
https://www.npmjs.com/package/%40auth0/nextjs-auth0

Configurations

Configuration 1 (hide)

cpe:2.3:a:auth0:nextjs-auth0:*:*:*:*:*:node.js:*:*

History

07 Nov 2023, 03:35

Type	Values Removed	Values Added
References	~~{'url': 'https://www.npmjs.com/package/@auth0/nextjs-auth0', 'name': 'https://www.npmjs.com/package/@auth0/nextjs-auth0', 'tags': ['Product', 'Third Party Advisory'], 'refsource': 'MISC'}~~	() https://www.npmjs.com/package/%40auth0/nextjs-auth0 -

Information

Published : 2021-06-25 17:15

Updated : 2024-02-28 18:28

NVD link : CVE-2021-32702

Mitre link : CVE-2021-32702

CVE.ORG link : CVE-2021-32702

JSON object : View

Products Affected

auth0

nextjs-auth0

CWE

CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

{"id": "CVE-2021-32702", "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 4.3, "accessVector": "NETWORK", "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "authentication": "NONE", "integrityImpact": "PARTIAL", "accessComplexity": "MEDIUM", "availabilityImpact": "NONE", "confidentialityImpact": "NONE"}, "acInsufInfo": false, "impactScore": 2.9, "baseSeverity": "MEDIUM", "obtainAllPrivilege": false, "exploitabilityScore": 8.6, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": true}], "cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 6.1, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}, "impactScore": 2.7, "exploitabilityScore": 2.8}, {"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 8.0, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "HIGH", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 5.8, "exploitabilityScore": 1.6}]}, "published": "2021-06-25T17:15:08.383", "references": [{"url": "https://github.com/auth0/nextjs-auth0/commit/6996e2528ceed98627caa28abafbc09e90163ccf", "tags": ["Patch", "Third Party Advisory"], "source": "security-advisories@github.com"}, {"url": "https://github.com/auth0/nextjs-auth0/security/advisories/GHSA-954c-jjx6-cxv7", "tags": ["Third Party Advisory"], "source": "security-advisories@github.com"}, {"url": "https://www.npmjs.com/package/%40auth0/nextjs-auth0", "source": "security-advisories@github.com"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-79"}]}, {"type": "Secondary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-79"}]}], "descriptions": [{"lang": "en", "value": "The Auth0 Next.js SDK is a library for implementing user authentication in Next.js applications. Versions before and including `1.4.1` are vulnerable to reflected XSS. An attacker can execute arbitrary code by providing an XSS payload in the `error` query parameter which is then processed by the callback handler as an error message. You are affected by this vulnerability if you are using `@auth0/nextjs-auth0` version `1.4.1` or lower **unless** you are using custom error handling that does not return the error message in an HTML response. Upgrade to version `1.4.1` to resolve. The fix adds basic HTML escaping to the error message and it should not impact your users."}, {"lang": "es", "value": "El SDK de Auth0 Next.js es una biblioteca para implementar la autenticaci\u00f3n de usuarios en las aplicaciones Next.js. Las versiones anteriores a la \"1.4.1\" e incluy\u00e9ndola, son vulnerables a un ataque de tipo XSS reflejado. Un atacante puede ejecutar c\u00f3digo arbitrario al proporcionar una carga \u00fatil de tipo XSS en el par\u00e1metro de consulta \"error\" que luego es procesado por el controlador de devoluci\u00f3n de llamada como un mensaje de error. Est\u00e1 afectado por esta vulnerabilidad si est\u00e1 usando \"@auth0/nextjs-auth0\" versi\u00f3n \"1.4.1\" o inferior **a menos que** est\u00e9 usando un manejo de errores personalizado que no devuelva el mensaje de error en una respuesta HTML. Actualizar a versi\u00f3n \"1.4.1\" para solucionarlo. La correcci\u00f3n a\u00f1ade un escape HTML b\u00e1sico al mensaje de error y no deber\u00eda afectar a sus usuarios"}], "lastModified": "2023-11-07T03:35:23.963", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:auth0:nextjs-auth0:*:*:*:*:*:node.js:*:*", "vulnerable": true, "matchCriteriaId": "F04AAC80-E950-4A31-B658-C7B7825CE71E", "versionEndExcluding": "1.4.2"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}