Headline
CVE-2022-24858: Upgrade Guide (v4) | NextAuth.js
next-auth v3 users before version 3.29.2 are impacted. next-auth version 4 users before version 4.3.2 are also impacted. Upgrading to 3.29.2 or 4.3.2 will patch this vulnerability. If you are not able to upgrade for any reason, you can add a configuration to your callbacks option. If you already have a redirect callback, make sure that you match the incoming url origin against the baseUrl.
NextAuth.js version 4 includes a few breaking changes from the last major version (3.x). So we’re here to help you upgrade your applications as smoothly as possible. It should be possible to upgrade from any version of 3.x to the latest 4 release by following the next few migration steps.
note
Version 4 has been released to GA 🚨
We encourage users to try it out and report any and all issues they come across.
You can upgrade to the new version by running:
- npm
- Yarn
next-auth/jwt
We no longer have a default export in next-auth/jwt. To comply with this, change the following:
- import jwt from "next-auth/jwt"+ import { getToken } from "next-auth/jwt"
next-auth/react
We’ve renamed the client-side import source to next-auth/react. To comply with this change, you will simply have to rename anywhere you were using next-auth/client.
For example:
- import { useSession } from "next-auth/client"+ import { useSession } from "next-auth/react"
We’ve also made the following changes to the names of the exports:
setOptions: Not exposed anymore, useSessionProviderpropsoptions: Not exposed anymore, useSessionProviderpropssession: Renamed togetSessionproviders: Renamed togetProviderscsrfToken: Renamed togetCsrfTokensignin: Renamed tosignInsignout: Renamed tosignOutProvider: Renamed toSessionProvider
Introduced in https://github.com/nextauthjs/next-auth/releases/tag/v4.0.0-next.12
SessionProvider
Version 4 makes using the SessionProvider mandatory. This means that you will have to wrap any part of your application using useSession in this provider, if you were not doing so already. The SessionProvider has also undergone a few further changes:
Provideris renamed toSessionProvider- The options prop is now flattened as the props of SessionProvider.
keepAlivehas been renamed torefetchInterval.clientMaxAgehas been removed in favor ofrefetchInterval, as they overlap in functionality, with the difference thatrefetchIntervalwill keep re-fetching the session periodically in the background.
The best practice for wrapping your app in Providers is to do so in your pages/_app.jsx file.
An example use-case with these new changes:
import { SessionProvider } from "next-auth/react"export default function App({ Component, pageProps: { session, ...pageProps },}) { return ( // `session` comes from `getServerSideProps` or `getInitialProps`. // Avoids flickering/session loading on first load. <SessionProvider session={session} refetchInterval={5 * 60}> <Component {...pageProps} /> </SessionProvider> )}
Introduced in https://github.com/nextauthjs/next-auth/releases/tag/v4.0.0-next.12
Providers
Providers now need to be imported individually.
- import Provider from "next-auth/providers"- Providers.Auth0({...})- Providers.Google({...})+ import Auth0Provider from "next-auth/providers/auth0"+ import GoogleProvider from "next-auth/providers/google"+ Auth0Provider({...})+ GoogleProvider({...})
- The
AzureADB2Cprovider has been renamedAzureAD. - The
Basecampprovider has been removed, see explanation here. - The GitHub provider by default now will not request full write access to user profiles. If you need this scope, please add
userto the scope option manually.
The following new options are available when defining your Providers in the configuration:
authorization(replacesauthorizationUrl,authorizationParams,scope)tokenreplaces (accessTokenUrl,headers,params)userinfo(replacesprofileUrl)issuer(replacesdomain)
For more details on their usage, please see options section of the OAuth Provider documentation.
When submitting a new OAuth provider to the repository, the profile callback is expected to only return these fields from now on: id, name, email, and image. If any of these are missing values, they should be set to null.
Also worth noting is that id is expected to be returned as a string type (For example if your provider returns it as a number, you can cast it by using the .toString() method). This makes the returned profile object comply across all providers/accounts/adapters, and hopefully cause less confusion in the future.
Implemented in: nextauthjs/next-auth#2411 Introduced in https://github.com/nextauthjs/next-auth/releases/tag/v4.0.0-next.20
useSession Hook
The useSession hook has been updated to return an object. This allows you to test states much more cleanly with the new status option.
- const [ session, loading ] = useSession()+ const { data: session, status } = useSession()+ const loading = status === "loading"
Check the docs for the possible values of both session.status and session.data.
Introduced in https://github.com/nextauthjs/next-auth/releases/tag/v4.0.0-next.18
Named Parameters
We have changed the arguments to our callbacks to the named parameters pattern. This way you don’t have to use dummy _ placeholders or other tricks.
Callbacks
The signatures for the callback methods now look like this:
- signIn(user, account, profileOrEmailOrCredentials)+ signIn({ user, account, profile, email, credentials })
- redirect(url, baseUrl)+ redirect({ url, baseUrl })
- session(session, tokenOrUser)+ session({ session, token, user })
- jwt(token, user, account, OAuthProfile, isNewUser)+ jwt({ token, user, account, profile, isNewUser })
Introduced in https://github.com/nextauthjs/next-auth/releases/tag/v4.0.0-next.17
Events
Two event signatures have changed to also use the named parameters pattern, signOut and updateUser.
// [...nextauth].js...events: {- signOut(tokenOrSession),+ signOut({ token, session }), // token if using JWT, session if DB persisted sessions.- updateUser(user)+ updateUser({ user })}
Introduced in https://github.com/nextauthjs/next-auth/releases/tag/v4.0.0-next.20
JWT configuration
We have removed some of the configuration options when using JSON Web Tokens, here’s the PR for more context.
export default NextAuth({ // ... jwt: { secret, maxAge,- encryptionKey- signingKey- encryptionKey- verificationOptions encode({ token secret maxAge- signingKey- signingOptions- encryptionKey- encryptionOptions- encryption }) {}, decode({ token secret- maxAge- signingKey- verificationKey- verificationOptions- encryptionKey- decryptionKey- decryptionOptions- encryption }) {} }})
Logger API
The logger API has been simplified to use at most two parameters, where the second is usually an object (metadata) containing an error object. If you are not using the logger settings you can ignore this change.
// [...nextauth.js]import log from "some-logger-service"...logger: {- error(code, ...message) {},+ error(code, metadata) {},- warn(code, ...message) {},+ warn(code) {}- debug(code, ...message) {}+ debug(code, metadata) {}}
Introduced in https://github.com/nextauthjs/next-auth/releases/tag/v4.0.0-next.19
nodemailer
Like typeorm and prisma, nodemailer is no longer included as a dependency by default. If you are using the Email provider you must install it in your project manually, or use any other Email library in the sendVerificationRequest callback. This reduces bundle size for those not actually using the Email provider. Remember, when using the Email provider, it is mandatory to also use a database adapter due to the fact that verification tokens need to be persisted longer term for the magic link functionality to work.
Introduced in https://github.com/nextauthjs/next-auth/releases/tag/v4.0.0-next.2
Theme
We have added some basic customization options to our built-in pages like signin, signout, etc.
These can be set under the theme configuration key. This used to be a string which only controlled the color scheme option. Now it is an object with the following options:
theme: { colorScheme: "auto", // "auto" | "dark" | "light" brandColor: "", // Hex color value logo: "" // Absolute URL to logo image}
The hope is that with some minimal configuration / customization options, users won’t immediately feel the need to replace the built-in pages with their own.
More details and screenshots of the new theme options can be found under configuration/pages.
Introduced in nextauthjs/next-auth#2788
Session
The session.jwt: boolean option has been renamed to session.strategy: "jwt" | "database". The goal is to make the user’s options more intuitive:
- No adapter,
strategy: "jwt": This is the default. The session is saved in a cookie and never persisted anywhere. - With Adapter,
strategy: "database": If an Adapter is defined, this will be the implicit setting. No user config is needed. - With Adapter,
strategy: "jwt": The user can explicitly instructnext-authto use JWT even if a database is available. This can result in faster lookups in compromise of lowered security. Read more about: https://next-auth.js.org/faq#json-web-tokens
Example:
session: {- jwt: true,+ strategy: "jwt",}
Introduced in nextauthjs/next-auth#3144
Adapters
Most importantly, the core next-auth package no longer ships with typeorm or any other database adapter by default. This brings the default bundle size down significantly for those not needing to persist user data to a database.
You can find the official Adapters in the packages directory in the primary monorepo (nextauthjs/next-auth). Although you can still create your own with a new, simplified Adapter API.
If you have a database that was created with a 3.x.x or earlier version of NextAuth.js, you will need to run a migration to update the schema to the new version 4 database model. See the bottom of this migration guide for database specific migration examples.
- If you use the built-in TypeORM or Prisma adapters, these have been removed from the core
next-authpackage. Thankfully the migration is easy; you just need to install the external packages for your database and change the import in your[...nextauth].js.
The database option has been removed, you must now do the following instead:
// [...nextauth].jsimport NextAuth from "next-auth"+ import { TypeORMLegacyAdapter } from "@next-auth/typeorm-legacy-adapter"...export default NextAuth({- database: "yourconnectionstring",+ adapter: TypeORMLegacyAdapter("yourconnectionstring")})
The
prisma-legacyadapter has been removed, please use the@next-auth/prisma-adapterinstead.The
typeorm-legacyadapter has been upgraded to use the newer adapter API, but has retained thetypeorm-legacyname. We aim to migrate this to individual lighter weight adapters for each database type in the future, or switch outtypeorm.MongoDB has been moved to its own adapter under
@next-auth/mongodb-adapter. See the MongoDB Adapter docs.
Introduced in https://github.com/nextauthjs/next-auth/releases/tag/v4.0.0-next.8 and nextauthjs/next-auth#2361
Adapter API
This does not require any changes from the user - these are adapter specific changes only
The Adapter API has been rewritten and significantly simplified in NextAuth v4. The adapters now have less work to do as some functionality has been migrated to the core of NextAuth, like hashing the verification token.
If you are an adapter maintainer or are interested in writing your own adapter, you can find more information about this change in nextauthjs/next-auth#2361 and release https://github.com/nextauthjs/next-auth/releases/tag/v4.0.0-next.22.
Schema changes
The way we save data with adapters have slightly changed. With the new Adapter API, we wanted to make it easier to extend your database with additional fields. For example if your User needs an extra phone field, it should be enough to add that to your database’s schema, and no changes will be necessary in your adapter.
created_at/createdAtandupdated_at/updatedAtfields are removed from all Models.user_id/userIdconsistently nameduserId.compound_id/compoundIdis removed from Account.access_token/accessTokenis removed from Session.email_verified/emailVerifiedon User is consistently namedemailVerified.provider_id/providerIdrenamed toprovideron Accountprovider_type/providerTyperenamed totypeon Accountprovider_account_id/providerAccountIdon Account is consistently namedproviderAccountIdaccess_token_expires/accessTokenExpireson Account renamed toexpires_at- New fields on Account:
token_type,scope,id_token,session_state verification_requeststable has been renamed toverification_tokens
See the changes
User { id name email- emailVerified+ email_verified image- created_at- updated_at}Account { id- compound_id- user_id+ userId- provider_type+ type- provider_id+ provider- provider_account_id+ providerAccountId refresh_token access_token- access_token_expires+ expires_in+ expires_at+ token_type+ scope+ id_token+ session_state- created_at- updated_at}Session { id userId expires sessionToken- access_token- created_at- updated_at}VerificationToken { id token expires identifier- created_at- updated_at}
For more info, see the Models page.
Database migration
NextAuth.js v4 has a slightly different database schema compared to v3. If you’re using any of our adapters and want to upgrade, you can use on of the below schemas.
They are designed to be run directly against the database itself. So instead of having one in Prisma syntax, one in TypeORM syntax, etc. we’ve decided to just make one for each underlying database type. i.e. one for Postgres, one for MySQL, one for MongoDB, etc.
MySQL
/* ACCOUNT */ALTER TABLE accountsCHANGE "access_token_expires" "expires_at" intCHANGE "user_id" "userId" varchar(255)ADD CONSTRAINT fk_user_id FOREIGN KEY (userId) REFERENCES users(id)RENAME COLUMN "provider_id" "provider"RENAME COLUMN "provider_account_id" "providerAccountId"DROP COLUMN "provider_type"DROP COLUMN "compound_id"/* The following two timestamp columns have never been necessary for NextAuth.js to function, but can be kept if you want */DROP COLUMN "created_at"DROP COLUMN "updated_at"ADD COLUMN "token_type" varchar(255) NULLADD COLUMN "scope" varchar(255) NULLADD COLUMN "id_token" varchar(255) NULLADD COLUMN "session_state" varchar(255) NULL/* Note: These are only needed if you're going to be using the old Twitter OAuth 1.0 provider. */ADD COLUMN "oauth_token_secret" varchar(255) NULLADD COLUMN "oauth_token" varchar(255) NULL/* USER */ALTER TABLE usersRENAME COLUMN "email_verified" "emailVerified"/* The following two timestamp columns have never been necessary for NextAuth.js to function, but can be kept if you want */DROP COLUMN "created_at"DROP COLUMN "updated_at"/* SESSION */ALTER TABLE sessionsRENAME COLUMN "session_token" "sessionToken"CHANGE "user_id" "userId" varchar(255)ADD CONSTRAINT fk_user_id FOREIGN KEY (userId) REFERENCES users(id)DROP COLUMN "access_token"/* The following two timestamp columns have never been necessary for NextAuth.js to function, but can be kept if you want */DROP COLUMN "created_at"DROP COLUMN "updated_at"/* VERIFICATION REQUESTS */ALTER TABLE verification_requests RENAME verification_tokensALTER TABLE verification_tokensDROP COLUMN id/* The following two timestamp columns have never been necessary for NextAuth.js to function, but can be kept if you want */DROP COLUMN "created_at"DROP COLUMN "updated_at"
Postgres
/* ACCOUNT */ALTER TABLE accounts RENAME COLUMN "user_id" TO "userId";ALTER TABLE accounts RENAME COLUMN "provider_id" TO "provider";ALTER TABLE accounts RENAME COLUMN "provider_account_id" TO "providerAccountId";ALTER TABLE accounts RENAME COLUMN "access_token_expires" TO "expires_at";ALTER TABLE accounts RENAME COLUMN "provider_type" TO "type";/* Do conversion of TIMESTAMPTZ to BIGINT */ALTER TABLE accounts ALTER COLUMN "expires_at" TYPE TEXT USING CAST(extract(epoch FROM "expires_at") AS BIGINT)*1000;/* Keep id as SERIAL with autoincrement when using ORM. Using new v4 uuid format won't work because of incompatibility *//* ALTER TABLE accounts ALTER COLUMN "id" TYPE TEXT; *//* ALTER TABLE accounts ALTER COLUMN "userId" TYPE TEXT; */ALTER TABLE accounts ALTER COLUMN "type" TYPE TEXT;ALTER TABLE accounts ALTER COLUMN "provider" TYPE TEXT;ALTER TABLE accounts ALTER COLUMN "providerAccountId" TYPE TEXT;ALTER TABLE accounts ADD CONSTRAINT fk_user_id FOREIGN KEY ("userId") REFERENCES users(id);ALTER TABLE accountsDROP COLUMN IF EXISTS "compound_id";/* The following two timestamp columns have never been necessary for NextAuth.js to function, but can be kept if you want */ALTER TABLE accountsDROP COLUMN IF EXISTS "created_at",DROP COLUMN IF EXISTS "updated_at";ALTER TABLE accountsADD COLUMN IF NOT EXISTS "token_type" TEXT NULL,ADD COLUMN IF NOT EXISTS "scope" TEXT NULL,ADD COLUMN IF NOT EXISTS "id_token" TEXT NULL,ADD COLUMN IF NOT EXISTS "session_state" TEXT NULL;/* Note: These are only needed if you're going to be using the old Twitter OAuth 1.0 provider. *//* ALTER TABLE accountsADD COLUMN IF NOT EXISTS "oauth_token_secret" TEXT NULL,ADD COLUMN IF NOT EXISTS "oauth_token" TEXT NULL; *//* USER */ALTER TABLE users RENAME COLUMN "email_verified" TO "emailVerified";/* Keep id as SERIAL with autoincrement when using ORM. Using new v4 uuid format won't work because of incompatibility *//* ALTER TABLE users ALTER COLUMN "id" TYPE TEXT; */ALTER TABLE users ALTER COLUMN "name" TYPE TEXT;ALTER TABLE users ALTER COLUMN "email" TYPE TEXT;ALTER TABLE users ALTER COLUMN "image" TYPE TEXT;/* Do conversion of TIMESTAMPTZ to BIGINT and then TEXT */ALTER TABLE users ALTER COLUMN "emailVerified" TYPE TEXT USING CAST(CAST(extract(epoch FROM "emailVerified") AS BIGINT)*1000 AS TEXT);/* The following two timestamp columns have never been necessary for NextAuth.js to function, but can be kept if you want */ALTER TABLE usersDROP COLUMN IF EXISTS "created_at",DROP COLUMN IF EXISTS "updated_at";/* SESSION */ALTER TABLE sessions RENAME COLUMN "session_token" TO "sessionToken";ALTER TABLE sessions RENAME COLUMN "user_id" TO "userId";/* Keep id as SERIAL with autoincrement when using ORM. Using new v4 uuid format won't work because of incompatibility *//* ALTER TABLE sessions ALTER COLUMN "id" TYPE TEXT; *//* ALTER TABLE sessions ALTER COLUMN "userId" TYPE TEXT; */ALTER TABLE sessions ALTER COLUMN "sessionToken" TYPE TEXT;ALTER TABLE sessions ADD CONSTRAINT fk_user_id FOREIGN KEY ("userId") REFERENCES users(id);/* Do conversion of TIMESTAMPTZ to BIGINT and then TEXT */ALTER TABLE sessions ALTER COLUMN "expires" TYPE TEXT USING CAST(CAST(extract(epoch FROM "expires") AS BIGINT)*1000 AS TEXT);ALTER TABLE sessions DROP COLUMN IF EXISTS "access_token";/* The following two timestamp columns have never been necessary for NextAuth.js to function, but can be kept if you want */ALTER TABLE sessionsDROP COLUMN IF EXISTS "created_at",DROP COLUMN IF EXISTS "updated_at";/* VERIFICATION REQUESTS */ALTER TABLE verification_requests RENAME TO verification_tokens;/* Keep id as ORM needs it *//* ALTER TABLE verification_tokens DROP COLUMN IF EXISTS id; */ALTER TABLE verification_tokens ALTER COLUMN "identifier" TYPE TEXT;ALTER TABLE verification_tokens ALTER COLUMN "token" TYPE TEXT;/* Do conversion of TIMESTAMPTZ to BIGINT and then TEXT */ALTER TABLE verification_tokens ALTER COLUMN "expires" TYPE TEXT USING CAST(CAST(extract(epoch FROM "expires") AS BIGINT)*1000 AS TEXT);/* The following two timestamp columns have never been necessary for NextAuth.js to function, but can be kept if you want */ALTER TABLE verification_tokensDROP COLUMN IF EXISTS "created_at",DROP COLUMN IF EXISTS "updated_at";
MongoDB
MongoDB is a document database and as such new fields will be automatically populated. You do, however, need to update the names of existing fields which are going to be reused.
db.getCollection('accounts').updateMany({}, { $rename: { "provider_id": "provider", "provider_account_id": "providerAccountId", "user_id": "userId", "access_token_expires": "expires_at" }})db.getCollection('users').updateMany({}, { $rename: { "email_verified": "emailVerified" }})db.getCollection('sessions').updateMany({}, { $rename: { "session_token": "sessionToken", "user_id": "userId" }})
Missing secret
NextAuth.js used to generate a secret for convenience, when the user did not define one. This might have been useful in development, but can be a concern in production. We have always been clear about that in the docs, but from now on, if you forget to define a secret property in production, we will show the user an error page. Read more about this option here
You can generate a secret to be placed in the secret configuration option via the following command:
$ openssl rand -base64 32
Therefore, your NextAuth.js config should look something like this:
/pages/api/auth/[…nextauth].js
...export default NextAuth({ ... providers: [...], secret: "LlKq6ZtYbr+hTC073mAmAh9/h2HwMfsFo4hrfCx5mLg=", ...})
Introduced in nextauthjs/next-auth#3143
Session strategy
We have always supported two different session strategies. The first being our most popular and default strategy - the JWT based one. The second is the database adapter persisted session strategy. Both have their advantages/disadvantages, you can learn more about them on the FAQ page.
Previously, the way you configured this was through the jwt: boolean flag in the session option. The names session and jwt might have been a bit overused in the options, and so for a clearer message, we renamed this option to strategy: "jwt" | "database", it is still in the session object. This will hopefully better indicate the purpose of this option as well as make very explicit which type of session you are going to use.
See the session option docs for more details.
Introduced in nextauthjs/next-auth#3144
Summary
We hope this migration goes smoothly for each and every one of you! If you have any questions or get stuck anywhere, feel free to create a new issue on GitHub.
Related news
Logging Subsystem 5.4 - Red Hat OpenShift Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-0759: kubeclient: kubeconfig parsing error can lead to MITM attacks * CVE-2022-21698: prometheus/client_golang: Denial of service using InstrumentHandlerCounter
acs commons is an open source framework for AEM projects. ACS Commons version 5.1.x (and earlier) suffers from a Reflected Cross-site Scripting (XSS) vulnerability in /apps/acs-commons/content/page-compare.html` endpoint via the `a` and `b` GET parameters. User input submitted via these parameters is not validated or sanitized. An attacker must provide a link to someone with access to AEM Author, and could potentially exploit this vulnerability to inject malicious JavaScript content into vulnerable form fields and execute it within the context of the victim's browser. The exploitation of this issue requires user interaction in order to be successful. This issue has been resolved in 5.2.0. There are no known workarounds for this issue.
Updated Satellite 6.9 packages that fix several bugs are now available for Red Hat Satellite.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2021-27023: puppet: unsafe HTTP redirect
HumHub is an Open Source Enterprise Social Network. In affected versions users who are forced to change their password by an administrator may retrieve other users' data. This issue has been resolved by commit `eb83de20`. It is recommended that the HumHub is upgraded to 1.11.0, 1.10.4 or 1.9.4. There are no known workarounds for this issue.
Updated packages that provide Red Hat JBoss Core Services Apache HTTP Server 2.4.37 Service Pack 11, fix several bugs, and add various enhancements are now available for Red Hat Enterprise Linux 7 and Red Hat Enterprise Linux 8. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2021-3516: libxml2: Use-after-free in xmlEncodeEntitiesInternal() in entities.c * CVE-2021-3517: libxml2: Heap-based buffer overflow in xmlEncodeEntitiesInternal() in entities.c * CVE-2021-3518: libxml...
Red Hat JBoss Core Services Apache HTTP Server 2.4.37 Service Pack 11 zip release for Red Hat Enterprise Linux 7, Red Hat Enterprise Linux 8, and Microsoft Windows is available. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2021-3516: libxml2: Use-after-free in xmlEncodeEntitiesInternal() in entities.c * CVE-2021-3517: libxml2: Heap-based buffer overflow in xmlEncodeEntitiesInternal() in entities.c * CVE-2021-3518: libxml2: Use-after-free in xmlXIncludeDoProcess() in xinc...
Origin Protocol is a blockchain based project. The Origin Protocol project website allows for malicious users to inject malicious Javascript via a POST request to `/presale/join`. User-controlled data is passed with no sanitization to SendGrid and injected into an email that is delivered to the [email protected]. If the email recipient is using an email program that is susceptible to XSS, then that email recipient will receive an email that may contain malicious XSS. Regardless if the email recipient’s mail program has vulnerabilities or not, the hacker can at the very least inject malicious HTML that modifies the body content of the email. There are currently no known workarounds.
Databasir is a team-oriented relational database model document management platform. Databasir 1.01 has Server-Side Request Forgery vulnerability. During the download verification process of a JDBC driver the corresponding JDBC driver download address will be downloaded first, but this address will return a response page with complete error information when accessing a non-existent URL. Attackers can take advantage of this feature for SSRF.
A vulnerability in Jira Seraph allows a remote, unauthenticated attacker to bypass authentication by sending a specially crafted HTTP request. This affects Atlassian Jira Server and Data Center versions before 8.13.18, versions 8.14.0 and later before 8.20.6, and versions 8.21.0 and later before 8.22.0. This also affects Atlassian Jira Service Management Server and Data Center versions before 4.13.18, versions 4.14.0 and later before 4.20.6, and versions 4.21.0 and later before 4.22.0.
SharedSecretClusterAuthenticator in Atlassian Bitbucket Data Center versions 5.14.0 and later before 7.6.14, 7.7.0 and later prior to 7.17.6, 7.18.0 and later prior to 7.18.4, 7.19.0 and later prior to 7.19.4, and 7.20.0 allow a remote, unauthenticated attacker to execute arbitrary code via Java deserialization.
Shopware is an open commerce platform based on Symfony Framework and Vue. In affected versions an attacker can abuse the Admin SDK functionality on the server to read or update internal resources. Users are advised to update to the current version 6.4.10.1. For older versions of 6.1, 6.2, and 6.3, corresponding security measures are also available via a plugin. There are no known workarounds for this issue.
Databasir is a team-oriented relational database model document management platform. Databasir 1.01 has remote code execution vulnerability. JDBC drivers are not validated prior to use and may be provided by users of the system. This can lead to code execution by any basic user who has access to the system. Users are advised to upgrade. There are no known workarounds to this issue.
wire-webapp is the web application interface for the wire messaging service. Insufficient escaping in markdown “code highlighting” in the wire-webapp resulted in the possibility of injecting and executing arbitrary HTML code and thus also JavaScript. If a user receives and views such a malicious message, arbitrary code is injected and executed in the context of the victim. This allows the attacker to fully control the user account. Wire-desktop clients that are connected to a vulnerable wire-webapp version are also vulnerable to this attack. The issue has been fixed in wire-webapp 2022-03-30-production.0 and is already deployed on all Wire managed services. On-premise instances of wire-webapp need to be updated to docker tag 2022-03-30-production.0-v0.29.2-0-d144552 or wire-server 2022-03-30 (chart/4.8.0), so that their applications are no longer affected. There are no known workarounds for this issue. ### Patches * The issue has been fixed in wire-webapp **2022-03-30-production.0** an...
An update for kernel is now available for Red Hat Enterprise Linux 8.4 Extended Update Support. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2021-4083: kernel: fget: check that the fd still exists after getting a ref to it * CVE-2022-0492: kernel: cgroups v1 release_agent feature may allow privilege escalation * CVE-2022-25636: kernel: heap out of bounds write in nf_dup_netdev.c
An update for java-11-openjdk is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-21426: OpenJDK: Unbounded memory allocation when compiling crafted XPath expressions (JAXP, 8270504) * CVE-2022-21434: OpenJDK: Improper object-to-string conversion in AnnotationInvocationHandler (Libraries, 8277672) * CVE-2022-21443: OpenJDK: Missing check for negative ObjectIdentifier (Libraries, 8275151) * CVE-2022-21476: OpenJDK: Defective ...
New Red Hat Single Sign-On 7.5.2 packages are now available for Red Hat Enterprise Linux 8. Red Hat Product Security has rated this update as having a security impact of Low. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2021-45105: log4j-core: DoS in log4j 2.x with Thread Context Map (MDC) input data contains a recursive lookup and context lookup pattern
New Red Hat Single Sign-On 7.5.2 packages are now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Low. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2021-45105: log4j-core: DoS in log4j 2.x with Thread Context Map (MDC) input data contains a recursive lookup and context lookup pattern
Oracle's April Critical Patch UPdate contains 520 new security patches. We spell out some of the most important vulnerabilities. The post Oracle releases massive Critical Patch Update containing 520 security patches appeared first on Malwarebytes Labs.
A security update is now available for Red Hat Single Sign-On 7.5 from the Customer Portal. Red Hat Product Security has rated this update as having a security impact of Low. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2021-45105: log4j-core: DoS in log4j 2.x with Thread Context Map (MDC) input data contains a recursive lookup and context lookup pattern
Red Hat OpenShift Container Platform release 4.9.29 is now available with updates to packages and images that fix several bugs and add enhancements. This release includes a security update for Red Hat OpenShift Container Platform 4.9. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-24769: moby: Default inheritable capabilities for linux container should be empty
An update for java-11-openjdk is now available for Red Hat Enterprise Linux 8. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-21426: OpenJDK: Unbounded memory allocation when compiling crafted XPath expressions (JAXP, 8270504) * CVE-2022-21434: OpenJDK: Improper object-to-string conversion in AnnotationInvocationHandler (Libraries, 8277672) * CVE-2022-21443: OpenJDK: Missing check for negative ObjectIdentifier (Libraries, 8275151) * CVE-2022-21476: OpenJDK: Defective ...
An update for java-17-openjdk is now available for Red Hat Enterprise Linux 8. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-21426: OpenJDK: Unbounded memory allocation when compiling crafted XPath expressions (JAXP, 8270504) * CVE-2022-21434: OpenJDK: Improper object-to-string conversion in AnnotationInvocationHandler (Libraries, 8277672) * CVE-2022-21443: OpenJDK: Missing check for negative ObjectIdentifier (Libraries, 8275151) * CVE-2022-21449: OpenJDK: Improper E...
An update for java-11-openjdk is now available for Red Hat Enterprise Linux 8.4 Extended Update Support. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-21426: OpenJDK: Unbounded memory allocation when compiling crafted XPath expressions (JAXP, 8270504) * CVE-2022-21434: OpenJDK: Improper object-to-string conversion in AnnotationInvocationHandler (Libraries, 8277672) * CVE-2022-21443: OpenJDK: Missing check for negative ObjectIdentifier (Libraries, 8275151) * CVE-2022-...
An update for java-11-openjdk is now available for Red Hat Enterprise Linux 8.2 Extended Update Support. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-21426: OpenJDK: Unbounded memory allocation when compiling crafted XPath expressions (JAXP, 8270504) * CVE-2022-21434: OpenJDK: Improper object-to-string conversion in AnnotationInvocationHandler (Libraries, 8277672) * CVE-2022-21443: OpenJDK: Missing check for negative ObjectIdentifier (Libraries, 8275151) * CVE-2022-...
Red Hat OpenShift Container Platform release 4.7.49 is now available with updates to packages and images that fix several bugs and add enhancements. This advisory contains the RPM packages for Red Hat OpenShift Container Platform 4.7.49. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-0711: haproxy: Denial of service via set-cookie2 header
An update for java-11-openjdk is now available for Red Hat Enterprise Linux 8.1 Update Services for SAP Solutions. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-21426: OpenJDK: Unbounded memory allocation when compiling crafted XPath expressions (JAXP, 8270504) * CVE-2022-21434: OpenJDK: Improper object-to-string conversion in AnnotationInvocationHandler (Libraries, 8277672) * CVE-2022-21443: OpenJDK: Missing check for negative ObjectIdentifier (Libraries, 8275151) *...
Red Hat OpenShift Container Platform release 4.8.37 is now available with updates to packages and images that fix several bugs and add enhancements. This release includes a security update for Red Hat OpenShift Container Platform 4.37. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-24769: moby: Default inheritable capabilities for linux container should be empty
Red Hat OpenShift Container Platform release 4.10.10 is now available with updates to packages and images that fix several bugs and add enhancements. This release includes a security update for Red Hat OpenShift Container Platform 4.10. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-24769: moby: Default inheritable capabilities for linux container should be empty
Cross-site request forgery (CSRF) vulnerability in 'MicroPayments - Paid Author Subscriptions, Content, Downloads, Membership' versions prior to 1.9.6 allows a remote unauthenticated attacker to hijack the authentication of an administrator and perform unintended operation via unspecified vectors.
On Windows, if Git LFS operates on a malicious repository with a `..exe` file as well as a file named `git.exe`, and `git.exe` is not found in `PATH`, the `..exe` program will be executed, permitting the attacker to execute arbitrary code. This does not affect Unix systems. Similarly, if the malicious repository contains files named `..exe` and `cygpath.exe`, and `cygpath.exe` is not found in `PATH`, the `..exe` program will be executed when certain Git LFS commands are run. More generally, if the current working directory contains any file with a base name of `.` and a file extension from `PATHEXT` (except `.bat` and `.cmd`), and also contains another file with the same base name as a program Git LFS intends to execute (such as `git`, `cygpath`, or `uname`) and any file extension from `PATHEXT` (including `.bat` and `.cmd`), then, on Windows, when Git LFS attempts to execute the intended program the `..exe`, `..com`, etc., file will be executed instead, but only if the intended progra...
Hotdog, prior to v1.0.1, did not mimic the capabilities or the SELinux label of the target JVM process. This would allow a container to gain full privileges on the host, bypassing restrictions set on the container.
Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: JNDI). Supported versions that are affected are Oracle Java SE: 7u331, 8u321, 11.0.14, 17.0.2, 18; Oracle GraalVM Enterprise Edition: 20.3.5, 21.3.1 and 22.0.0.2. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Java SE, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service ...
The CleanTalk AntiSpam plugin <= 5.173 for WordPress is vulnerable to Reflected Cross-Site Scripting (XSS) via the $_REQUEST['page'] parameter in`/lib/Cleantalk/ApbctWP/FindSpam/ListTable/Users.php`
Vulnerability in the Java VM component of Oracle Database Server. Supported versions that are affected are 12.1.0.2, 19c and 21c. Easily exploitable vulnerability allows low privileged attacker having Create Procedure privilege with network access via multiple protocols to compromise Java VM. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Java VM accessible data. CVSS 3.1 Base Score 6.5 (Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N).
The WordPress WP YouTube Live Plugin is vulnerable to Reflected Cross-Site Scripting via POST data found in the ~/inc/admin.php file which allows unauthenticated attackers to inject arbitrary web scripts in versions up to, and including, 1.7.21.
The WordPress plugin Be POPIA Compliant exposed sensitive information to unauthenticated users consisting of site visitors emails and usernames via an API route, in versions up to an including 1.1.5.
The Elementor Website Builder plugin for WordPress is vulnerable to unauthorized execution of several AJAX actions due to a missing capability check in the ~/core/app/modules/onboarding/module.php file that make it possible for attackers to modify site data in addition to uploading malicious files that can be used to obtain remote code execution, in versions 3.6.0 to 3.6.2.
Smokescreen is a simple HTTP proxy that fogs over naughty URLs. The primary use case for Smokescreen is to prevent server-side request forgery (SSRF) attacks in which external attackers leverage the behavior of applications to connect to or scan internal infrastructure. Smokescreen also offers an option to deny access to additional (e.g., external) URLs by way of a deny list. There was an issue in Smokescreen that made it possible to bypass the deny list feature by appending a dot to the end of user-supplied URLs, or by providing input in a different letter case. Recommended to upgrade Smokescreen to version 0.0.3 or later.
Exploring what's next for public-cloud security, including top risks and how to implement better risk management.
The package git before 1.11.0 are vulnerable to Command Injection via git argument injection. When calling the fetch(remote = 'origin', opts = {}) function, the remote parameter is passed to the git fetch subcommand in a way that additional flags can be set. The additional flags can be used to perform a command injection.