CVE-2024-22206

CRITICAL9.0EPSS 0.26%

@clerk/nextjs auth() and getAuth() methods vulnerable to insecure direct object reference (IDOR)

發布日:2024/1/12修改日:2024/1/12

描述

### Impact Unauthorized access or privilege escalation due to a logic flaw in `auth()` in the App Router or `getAuth()` in the Pages Router. ### Affected Versions All applications that that use `@clerk/nextjs` versions in the range of `>= 4.7.0`,`< 4.29.3` in a Next.js backend to authenticate API Routes, App Router, or Route handlers. Specifically, those that call `auth()` in the App Router or `getAuth()` in the Pages Router. Only the `@clerk/nextjs` SDK is impacted. Other SDKs, including other Javascript-based SDKs, are not impacted. ### Patches Fix included in `@clerk/[email protected]`. ### References - https://clerk.com/changelog/2024-01-12 - https://github.com/clerk/javascript/releases/tag/%40clerk%2Fnextjs%404.29.3

受影響套件(1)

npm/@clerk/nextjs>= 4.7.0, < 4.29.3

CVSS 分數

來源	版本	嚴重程度	向量
osv	CVSS 3.1	CRITICAL9.0	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H

描述

受影響套件(1)

CVSS 分數

參考連結(5)