CVE-2023-48309
CVSS 3.1 Score 5.3 of 10 (medium)
Details
Summary
CVE-2023-48309 is a vulnerability in NextAuth.js, affecting versions prior to 4.24.5. This vulnerability allows a bad actor to create an empty/mock user by obtaining a NextAuth.js-issued JWT from an interrupted OAuth sign-in flow. By overriding the `next-auth.session-token` cookie value with this non-related JWT, the user can simulate a logged-in user without any associated user information. While this vulnerability does not grant access to other users' data or resources requiring proper authorization, it can be exploited by malicious actors to peek at logged-in user states, such as dashboard layouts. The affected products include multiple versions of NextAuth.js and some related components. The remediation for this vulnerability is to update to version 4.24.5 or newer of `next-auth`. The potential danger posed by this vulnerability lies in unauthorized access to certain user states and possible exploitation of the simulated logged-in user status for malicious purposes within an organization's systems and applications.
Prevent cyber attacks with Recorded Future by prioritizing and patching critical vulnerabilities being exploited by threat actors targeting your industry. Book your demo to learn more.
Advisories, Assessments, and Mitigations
Prioritize, Pinpoint, and Act to Prevent Vulnerability Exploits with Recorded Future
- Gain complete coverage of your cyber, third party, and physical attack surface
- Proactively mitigate threats before they turn into costly attacks
- Make fast, effective, data-driven decisions