{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-46982", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2024-09-16T16:10:09.018Z", "datePublished": "2024-09-17T21:55:04.312Z", "dateUpdated": "2024-09-18T13:45:21.409Z"}, "containers": {"cna": {"title": "Cache Poisoning in next.js", "problemTypes": [{"descriptions": [{"cweId": "CWE-639", "lang": "en", "description": "CWE-639: Authorization Bypass Through User-Controlled Key", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}}], "references": [{"name": "https://github.com/vercel/next.js/security/advisories/GHSA-gp8f-8m3g-qvj9", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/vercel/next.js/security/advisories/GHSA-gp8f-8m3g-qvj9"}, {"name": "https://github.com/vercel/next.js/commit/7ed7f125e07ef0517a331009ed7e32691ba403d3", "tags": ["x_refsource_MISC"], "url": "https://github.com/vercel/next.js/commit/7ed7f125e07ef0517a331009ed7e32691ba403d3"}, {"name": "https://github.com/vercel/next.js/commit/bd164d53af259c05f1ab434004bcfdd3837d7cda", "tags": ["x_refsource_MISC"], "url": "https://github.com/vercel/next.js/commit/bd164d53af259c05f1ab434004bcfdd3837d7cda"}], "affected": [{"vendor": "vercel", "product": "next.js", "versions": [{"version": ">= 13.5.1, < 13.5.7", "status": "affected"}, {"version": ">= 14.0.0, < 14.2.10", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2024-09-17T21:55:04.312Z"}, "descriptions": [{"lang": "en", "value": "Next.js is a React framework for building full-stack web applications. By sending a crafted HTTP request, it is possible to poison the cache of a non-dynamic server-side rendered route in the pages router (this does not affect the app router). When this crafted request is sent it could coerce Next.js to cache a route that is meant to not be cached and send a `Cache-Control: s-maxage=1, stale-while-revalidate` header which some upstream CDNs may cache as well. To be potentially affected all of the following must apply: 1. Next.js between 13.5.1 and 14.2.9, 2. Using pages router, & 3. Using non-dynamic server-side rendered routes e.g. `pages/dashboard.tsx` not `pages/blog/[slug].tsx`. This vulnerability was resolved in Next.js v13.5.7, v14.2.10, and later. We recommend upgrading regardless of whether you can reproduce the issue or not. There are no official or recommended workarounds for this issue, we recommend that users patch to a safe version."}], "source": {"advisory": "GHSA-gp8f-8m3g-qvj9", "discovery": "UNKNOWN"}}, "adp": [{"affected": [{"vendor": "vercel", "product": "next.js", "cpes": ["cpe:2.3:a:vercel:next.js:*:*:*:*:*:node.js:*:*"], "defaultStatus": "unknown", "versions": [{"version": "13.5.1", "status": "affected", "lessThan": "13.5.7", "versionType": "custom"}, {"version": "14.0.0", "status": "affected", "lessThan": "14.2.10", "versionType": "custom"}]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2024-09-18T13:38:27.573625Z", "id": "CVE-2024-46982", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-09-18T13:45:21.409Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-46982", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-09-18T13:38:27.573625Z"}}}], "affected": [{"cpes": ["cpe:2.3:a:vercel:next.js:*:*:*:*:*:node.js:*:*"], "vendor": "vercel", "product": "next.js", "versions": [{"status": "affected", "version": "13.5.1", "lessThan": "13.5.7", "versionType": "custom"}, {"status": "affected", "version": "14.0.0", "lessThan": "14.2.10", "versionType": "custom"}], "defaultStatus": "unknown"}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-09-18T13:45:13.928Z"}}], "cna": {"title": "Cache Poisoning in next.js", "source": {"advisory": "GHSA-gp8f-8m3g-qvj9", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}}], "affected": [{"vendor": "vercel", "product": "next.js", "versions": [{"status": "affected", "version": ">= 13.5.1, < 13.5.7"}, {"status": "affected", "version": ">= 14.0.0, < 14.2.10"}]}], "references": [{"url": "https://github.com/vercel/next.js/security/advisories/GHSA-gp8f-8m3g-qvj9", "name": "https://github.com/vercel/next.js/security/advisories/GHSA-gp8f-8m3g-qvj9", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/vercel/next.js/commit/7ed7f125e07ef0517a331009ed7e32691ba403d3", "name": "https://github.com/vercel/next.js/commit/7ed7f125e07ef0517a331009ed7e32691ba403d3", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/vercel/next.js/commit/bd164d53af259c05f1ab434004bcfdd3837d7cda", "name": "https://github.com/vercel/next.js/commit/bd164d53af259c05f1ab434004bcfdd3837d7cda", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "Next.js is a React framework for building full-stack web applications. By sending a crafted HTTP request, it is possible to poison the cache of a non-dynamic server-side rendered route in the pages router (this does not affect the app router). When this crafted request is sent it could coerce Next.js to cache a route that is meant to not be cached and send a `Cache-Control: s-maxage=1, stale-while-revalidate` header which some upstream CDNs may cache as well. To be potentially affected all of the following must apply: 1. Next.js between 13.5.1 and 14.2.9, 2. Using pages router, & 3. Using non-dynamic server-side rendered routes e.g. `pages/dashboard.tsx` not `pages/blog/[slug].tsx`. This vulnerability was resolved in Next.js v13.5.7, v14.2.10, and later. We recommend upgrading regardless of whether you can reproduce the issue or not. There are no official or recommended workarounds for this issue, we recommend that users patch to a safe version."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-639", "description": "CWE-639: Authorization Bypass Through User-Controlled Key"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2024-09-17T21:55:04.312Z"}}}, "cveMetadata": {"cveId": "CVE-2024-46982", "state": "PUBLISHED", "dateUpdated": "2024-09-18T13:45:21.409Z", "dateReserved": "2024-09-16T16:10:09.018Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2024-09-17T21:55:04.312Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.1"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Next.js is a React framework for building full-stack web applications. By sending a crafted HTTP request, it is possible to poison the cache of a non-dynamic server-side rendered route in the pages router (this does not affect the app router). When this crafted request is sent it could coerce Next.js to cache a route that is meant to not be cached and send a `Cache-Control: s-maxage=1, stale-while-revalidate` header which some upstream CDNs may cache as well. To be potentially affected all of the following must apply: 1. Next.js between 13.5.1 and 14.2.9, 2. Using pages router, & 3. Using non-dynamic server-side rendered routes e.g. `pages/dashboard.tsx` not `pages/blog/[slug].tsx`. This vulnerability was resolved in Next.js v13.5.7, v14.2.10, and later. We recommend upgrading regardless of whether you can reproduce the issue or not. There are no official or recommended workarounds for this issue, we recommend that users patch to a safe version."}, {"lang": "es", "value": "Next.js es un framework React para crear aplicaciones web full-stack. Al enviar una solicitud HTTP manipulada, es posible envenenar el cach\u00e9 de una ruta renderizada del lado del servidor no din\u00e1mica en el enrutador de p\u00e1ginas (esto no afecta al enrutador de aplicaciones). Cuando se env\u00eda esta solicitud manipulada, podr\u00eda obligar a Next.js a almacenar en cach\u00e9 una ruta que no debe almacenarse en cach\u00e9 y enviar un encabezado `Cache-Control: s-maxage=1, stale-while-revalidate` que algunas CDN ascendentes tambi\u00e9n pueden almacenar en cach\u00e9. Para verse potencialmente afectado, se deben aplicar todas las siguientes condiciones: 1. Next.js entre 13.5.1 y 14.2.9, 2. Usar el enrutador de p\u00e1ginas y 3. Usar rutas renderizadas del lado del servidor no din\u00e1micas, por ejemplo, `pages/dashboard.tsx` no `pages/blog/[slug].tsx`. Esta vulnerabilidad se resolvi\u00f3 en Next.js v13.5.7, v14.2.10 y posteriores. Recomendamos actualizar independientemente de si se puede reproducir el problema o no. No existen workarounds oficiales ni recomendadas para este problema, recomendamos que los usuarios instalen el parche a una versi\u00f3n segura."}], "id": "CVE-2024-46982", "lastModified": "2024-09-20T12:30:51.220", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2024-09-17T22:15:02.273", "references": [{"source": "security-advisories@github.com", "url": "https://github.com/vercel/next.js/commit/7ed7f125e07ef0517a331009ed7e32691ba403d3"}, {"source": "security-advisories@github.com", "url": "https://github.com/vercel/next.js/commit/bd164d53af259c05f1ab434004bcfdd3837d7cda"}, {"source": "security-advisories@github.com", "url": "https://github.com/vercel/next.js/security/advisories/GHSA-gp8f-8m3g-qvj9"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-639"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}