From a5cb28f08a9cf635533255d6764eaf8572596aa4 Mon Sep 17 00:00:00 2001 From: Erlend Oftedal Date: Tue, 21 May 2024 15:35:23 +0200 Subject: [PATCH] Add two new vulns for next.js --- repository/jsrepository-master.json | 48 +++++++++++++++++++++++++- repository/jsrepository-v2.json | 52 ++++++++++++++++++++++++++--- repository/jsrepository.json | 52 ++++++++++++++++++++++++++--- 3 files changed, 143 insertions(+), 9 deletions(-) diff --git a/repository/jsrepository-master.json b/repository/jsrepository-master.json index d2808d46..d54c5476 100644 --- a/repository/jsrepository-master.json +++ b/repository/jsrepository-master.json @@ -1130,7 +1130,7 @@ "summary": "The vulnerability allowed arbitrary JavaScript execution when inserting a specially crafted piece of content into the editor via the clipboard or APIs", "identifiers": { "githubID": "GHSA-27gm-ghr9-4v95", - "CVE": ["CVE-2020-17480", "CVE-2020-23066"] + "CVE": ["CVE-2020-17480"] }, "severity": "high", "cwe": ["CWE-79"], @@ -4789,6 +4789,52 @@ "nextjs": { "npmname": "next", "vulnerabilities": [ + { + "ranges": [ + { + "atOrAbove": "13.4.0", + "below": "13.5.1" + } + ], + "summary": "Next.js Vulnerable to HTTP Request Smuggling", + "cwe": ["CWE-444"], + "severity": "high", + "identifiers": { + "CVE": ["CVE-2024-34350"], + "githubID": "GHSA-77r5-gw3j-2mpf" + }, + "info": [ + "https://github.com/advisories/GHSA-77r5-gw3j-2mpf", + "https://github.com/vercel/next.js/security/advisories/GHSA-77r5-gw3j-2mpf", + "https://nvd.nist.gov/vuln/detail/CVE-2024-34350", + "https://github.com/vercel/next.js/commit/44eba020c615f0d9efe431f84ada67b81576f3f5", + "https://github.com/vercel/next.js", + "https://github.com/vercel/next.js/compare/v13.5.0...v13.5.1" + ] + }, + { + "ranges": [ + { + "atOrAbove": "13.4.0", + "below": "14.1.1" + } + ], + "summary": "Next.js Server-Side Request Forgery in Server Actions", + "cwe": ["CWE-918"], + "severity": "high", + "identifiers": { + "CVE": ["CVE-2024-34351"], + "githubID": "GHSA-fr5h-rqp8-mj6g" + }, + "info": [ + "https://github.com/advisories/GHSA-fr5h-rqp8-mj6g", + "https://github.com/vercel/next.js/security/advisories/GHSA-fr5h-rqp8-mj6g", + "https://nvd.nist.gov/vuln/detail/CVE-2024-34351", + "https://github.com/vercel/next.js/pull/62561", + "https://github.com/vercel/next.js/commit/8f7a6ca7d21a97bc9f7a1bbe10427b5ad74b9085", + "https://github.com/vercel/next.js" + ] + }, { "ranges": [ { diff --git a/repository/jsrepository-v2.json b/repository/jsrepository-v2.json index 865b2cbc..cf584b96 100644 --- a/repository/jsrepository-v2.json +++ b/repository/jsrepository-v2.json @@ -1241,8 +1241,7 @@ "summary": "The vulnerability allowed arbitrary JavaScript execution when inserting a specially crafted piece of content into the editor via the clipboard or APIs", "githubID": "GHSA-27gm-ghr9-4v95", "CVE": [ - "CVE-2020-17480", - "CVE-2020-23066" + "CVE-2020-17480" ] }, "info": [ @@ -1312,8 +1311,7 @@ "summary": "The vulnerability allowed arbitrary JavaScript execution when inserting a specially crafted piece of content into the editor via the clipboard or APIs", "githubID": "GHSA-27gm-ghr9-4v95", "CVE": [ - "CVE-2020-17480", - "CVE-2020-23066" + "CVE-2020-17480" ] }, "info": [ @@ -6508,6 +6506,52 @@ "info": [ "https://github.com/advisories/GHSA-c59h-r6p8-q9wc" ] + }, + { + "atOrAbove": "13.4.0", + "below": "13.5.1", + "cwe": [ + "CWE-444" + ], + "severity": "high", + "identifiers": { + "summary": "Next.js Vulnerable to HTTP Request Smuggling", + "CVE": [ + "CVE-2024-34350" + ], + "githubID": "GHSA-77r5-gw3j-2mpf" + }, + "info": [ + "https://github.com/advisories/GHSA-77r5-gw3j-2mpf", + "https://github.com/vercel/next.js/security/advisories/GHSA-77r5-gw3j-2mpf", + "https://nvd.nist.gov/vuln/detail/CVE-2024-34350", + "https://github.com/vercel/next.js/commit/44eba020c615f0d9efe431f84ada67b81576f3f5", + "https://github.com/vercel/next.js", + "https://github.com/vercel/next.js/compare/v13.5.0...v13.5.1" + ] + }, + { + "atOrAbove": "13.4.0", + "below": "14.1.1", + "cwe": [ + "CWE-918" + ], + "severity": "high", + "identifiers": { + "summary": "Next.js Server-Side Request Forgery in Server Actions", + "CVE": [ + "CVE-2024-34351" + ], + "githubID": "GHSA-fr5h-rqp8-mj6g" + }, + "info": [ + "https://github.com/advisories/GHSA-fr5h-rqp8-mj6g", + "https://github.com/vercel/next.js/security/advisories/GHSA-fr5h-rqp8-mj6g", + "https://nvd.nist.gov/vuln/detail/CVE-2024-34351", + "https://github.com/vercel/next.js/pull/62561", + "https://github.com/vercel/next.js/commit/8f7a6ca7d21a97bc9f7a1bbe10427b5ad74b9085", + "https://github.com/vercel/next.js" + ] } ], "extractors": { diff --git a/repository/jsrepository.json b/repository/jsrepository.json index c7965b53..1f83d70c 100644 --- a/repository/jsrepository.json +++ b/repository/jsrepository.json @@ -1227,8 +1227,7 @@ "summary": "The vulnerability allowed arbitrary JavaScript execution when inserting a specially crafted piece of content into the editor via the clipboard or APIs", "githubID": "GHSA-27gm-ghr9-4v95", "CVE": [ - "CVE-2020-17480", - "CVE-2020-23066" + "CVE-2020-17480" ] }, "info": [ @@ -1298,8 +1297,7 @@ "summary": "The vulnerability allowed arbitrary JavaScript execution when inserting a specially crafted piece of content into the editor via the clipboard or APIs", "githubID": "GHSA-27gm-ghr9-4v95", "CVE": [ - "CVE-2020-17480", - "CVE-2020-23066" + "CVE-2020-17480" ] }, "info": [ @@ -6447,6 +6445,52 @@ "info": [ "https://github.com/advisories/GHSA-c59h-r6p8-q9wc" ] + }, + { + "atOrAbove": "13.4.0", + "below": "13.5.1", + "cwe": [ + "CWE-444" + ], + "severity": "high", + "identifiers": { + "summary": "Next.js Vulnerable to HTTP Request Smuggling", + "CVE": [ + "CVE-2024-34350" + ], + "githubID": "GHSA-77r5-gw3j-2mpf" + }, + "info": [ + "https://github.com/advisories/GHSA-77r5-gw3j-2mpf", + "https://github.com/vercel/next.js/security/advisories/GHSA-77r5-gw3j-2mpf", + "https://nvd.nist.gov/vuln/detail/CVE-2024-34350", + "https://github.com/vercel/next.js/commit/44eba020c615f0d9efe431f84ada67b81576f3f5", + "https://github.com/vercel/next.js", + "https://github.com/vercel/next.js/compare/v13.5.0...v13.5.1" + ] + }, + { + "atOrAbove": "13.4.0", + "below": "14.1.1", + "cwe": [ + "CWE-918" + ], + "severity": "high", + "identifiers": { + "summary": "Next.js Server-Side Request Forgery in Server Actions", + "CVE": [ + "CVE-2024-34351" + ], + "githubID": "GHSA-fr5h-rqp8-mj6g" + }, + "info": [ + "https://github.com/advisories/GHSA-fr5h-rqp8-mj6g", + "https://github.com/vercel/next.js/security/advisories/GHSA-fr5h-rqp8-mj6g", + "https://nvd.nist.gov/vuln/detail/CVE-2024-34351", + "https://github.com/vercel/next.js/pull/62561", + "https://github.com/vercel/next.js/commit/8f7a6ca7d21a97bc9f7a1bbe10427b5ad74b9085", + "https://github.com/vercel/next.js" + ] } ], "extractors": {