CVE-2023-48309

NextAuth.js provides authentication for Next.js. `next-auth` applications prior to version 4.24.5 that rely on the default Middleware authorization are affected by a vulnerability. A bad actor could create an empty/mock user, by getting hold of a NextAuth.js-issued JWT from an interrupted OAuth sign-in flow (state, PKCE or nonce). Manually overriding the `next-auth.session-token` cookie value with this non-related JWT would let the user simulate a logged in user, albeit having no user information associated with it. (The only property on this user is an opaque randomly generated string). This vulnerability does not give access to other users' data, neither to resources that require proper authorization via scopes or other means. The created mock user has no information associated with it (ie. no name, email, access_token, etc.) This vulnerability can be exploited by bad actors to peek at logged in user states (e.g. dashboard layout). `next-auth` `v4.24.5` contains a patch for the vulnerability. As a workaround, using a custom authorization callback for Middleware, developers can manually do a basic authentication.

CVSS v3 5.3 MEDIUM

5.3^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 3.9 / Impact : 1.4

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact LOW

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://authjs.dev/guides/basics/role-based-access-control	Technical Description
https://github.com/nextauthjs/next-auth/commit/d237059b6d0cb868c041ba18b698e0cee20a2f10	Patch
https://github.com/nextauthjs/next-auth/security/advisories/GHSA-v64w-49xw-qq89	Vendor Advisory
https://next-auth.js.org/configuration/nextjs#advanced-usage	Technical Description
https://next-auth.js.org/configuration/nextjs#middlewar	Technical Description

Configurations

Configuration 1 (hide)

cpe:2.3:a:nextauth.js:next-auth:*:*:*:*:*:node.js:*:*

History

25 Nov 2023, 02:18

Type	Values Removed	Values Added
New CVE

Information

Published : 2023-11-20 19:15

Updated : 2024-02-05 00:22

NVD link : CVE-2023-48309

Mitre link : CVE-2023-48309

CVE.ORG link : CVE-2023-48309

JSON object : View

Products Affected

nextauth.js

next-auth

CWE

CWE-285

Improper Authorization

CWE-863

Incorrect Authorization

{"id": "CVE-2023-48309", "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}, "impactScore": 1.4, "exploitabilityScore": 3.9}, {"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}, "impactScore": 1.4, "exploitabilityScore": 3.9}]}, "published": "2023-11-20T19:15:09.243", "references": [{"url": "https://authjs.dev/guides/basics/role-based-access-control", "tags": ["Technical Description"], "source": "security-advisories@github.com"}, {"url": "https://github.com/nextauthjs/next-auth/commit/d237059b6d0cb868c041ba18b698e0cee20a2f10", "tags": ["Patch"], "source": "security-advisories@github.com"}, {"url": "https://github.com/nextauthjs/next-auth/security/advisories/GHSA-v64w-49xw-qq89", "tags": ["Vendor Advisory"], "source": "security-advisories@github.com"}, {"url": "https://next-auth.js.org/configuration/nextjs#advanced-usage", "tags": ["Technical Description"], "source": "security-advisories@github.com"}, {"url": "https://next-auth.js.org/configuration/nextjs#middlewar", "tags": ["Technical Description"], "source": "security-advisories@github.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-285"}, {"lang": "en", "value": "CWE-863"}]}], "descriptions": [{"lang": "en", "value": "NextAuth.js provides authentication for Next.js. `next-auth` applications prior to version 4.24.5 that rely on the default Middleware authorization are affected by a vulnerability. A bad actor could create an empty/mock user, by getting hold of a NextAuth.js-issued JWT from an interrupted OAuth sign-in flow (state, PKCE or nonce). Manually overriding the `next-auth.session-token` cookie value with this non-related JWT would let the user simulate a logged in user, albeit having no user information associated with it. (The only property on this user is an opaque randomly generated string). This vulnerability does not give access to other users' data, neither to resources that require proper authorization via scopes or other means. The created mock user has no information associated with it (ie. no name, email, access_token, etc.) This vulnerability can be exploited by bad actors to peek at logged in user states (e.g. dashboard layout). `next-auth` `v4.24.5` contains a patch for the vulnerability. As a workaround, using a custom authorization callback for Middleware, developers can manually do a basic authentication."}, {"lang": "es", "value": "NextAuth.js proporciona autenticaci\u00f3n para Next.js. Las aplicaciones `next-auth` anteriores a la versi\u00f3n 4.24.5 que dependen de la autorizaci\u00f3n de Middleware predeterminada se ven afectadas por una vulnerabilidad. Un mal actor podr\u00eda crear un usuario vac\u00edo/simulado al obtener un JWT emitido por NextAuth.js a partir de un flujo de inicio de sesi\u00f3n de OAuth interrumpido (estado, PKCE o nonce). Anular manualmente el valor de la cookie `next-auth.session-token` con este JWT no relacionado permitir\u00eda al usuario simular un usuario que ha iniciado sesi\u00f3n, aunque no tenga informaci\u00f3n de usuario asociada. (La \u00fanica propiedad de este usuario es una cadena opaca generada aleatoriamente). Esta vulnerabilidad no da acceso a los datos de otros usuarios, ni a recursos que requieran la autorizaci\u00f3n adecuada a trav\u00e9s de alcances u otros medios. El usuario simulado creado no tiene informaci\u00f3n asociada (es decir, no tiene nombre, correo electr\u00f3nico, token de acceso, etc.). Los malos actores pueden aprovechar esta vulnerabilidad para echar un vistazo a los estados de los usuarios que han iniciado sesi\u00f3n (por ejemplo, el dise\u00f1o del panel). `next-auth` `v4.24.5` contiene un parche para la vulnerabilidad. Como workaround, al utilizar una devoluci\u00f3n de llamada de autorizaci\u00f3n personalizada para Middleware, los desarrolladores pueden realizar manualmente una autenticaci\u00f3n b\u00e1sica."}], "lastModified": "2023-11-25T02:18:34.320", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:nextauth.js:next-auth:*:*:*:*:*:node.js:*:*", "vulnerable": true, "matchCriteriaId": "A8790D4B-02DD-46E6-84FA-B1BA7F1C94E9", "versionEndExcluding": "4.24.5"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}