Add CVE-2021-37699 for GHSA-vxf5-wxwp-m7g9

2025-05-07 03:02:46 +00:00 · 2021-08-11 23:11:14 +00:00 · 2021-08-11 23:11:14 +00:00 · eb8042b41d
commit eb8042b41d
parent 1f3feecad3
1 changed files with 76 additions and 6 deletions
--- a/2021/37xxx/CVE-2021-37699.json
+++ b/2021/37xxx/CVE-2021-37699.json
@ -1,18 +1,88 @@
 {
-    "data_type": "CVE",
-    "data_format": "MITRE",
-    "data_version": "4.0",
    "CVE_data_meta": {
+        "ASSIGNER": "security-advisories@github.com",
        "ID": "CVE-2021-37699",
-        "ASSIGNER": "cve@mitre.org",
-        "STATE": "RESERVED"
+        "STATE": "PUBLIC",
+        "TITLE": "Open Redirect in Next.js versions below 11.1.0"
    },
+    "affects": {
+        "vendor": {
+            "vendor_data": [
+                {
+                    "product": {
+                        "product_data": [
+                            {
+                                "product_name": "next.js",
+                                "version": {
+                                    "version_data": [
+                                        {
+                                            "version_value": "< 11.1.0"
+                                        }
+                                    ]
+                                }
+                            }
+                        ]
+                    },
+                    "vendor_name": "vercel"
+                }
+            ]
+        }
+    },
+    "data_format": "MITRE",
+    "data_type": "CVE",
+    "data_version": "4.0",
    "description": {
        "description_data": [
            {
                "lang": "eng",
-                "value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided."
+                "value": "Next.js is an open source website development framework to be used with the React library. In affected versions specially encoded paths could be used when pages/_error.js was statically generated allowing an open redirect to occur to an external site. In general, this redirect does not directly harm users although can allow for phishing attacks by redirecting to an attacker's domain from a trusted domain. We recommend everyone to upgrade regardless of whether you can reproduce the issue or not. The issue has been patched in release 11.1.0."
            }
        ]
+    },
+    "impact": {
+        "cvss": {
+            "attackComplexity": "HIGH",
+            "attackVector": "NETWORK",
+            "availabilityImpact": "NONE",
+            "baseScore": 6.9,
+            "baseSeverity": "MEDIUM",
+            "confidentialityImpact": "HIGH",
+            "integrityImpact": "LOW",
+            "privilegesRequired": "NONE",
+            "scope": "CHANGED",
+            "userInteraction": "REQUIRED",
+            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:L/A:N",
+            "version": "3.1"
+        }
+    },
+    "problemtype": {
+        "problemtype_data": [
+            {
+                "description": [
+                    {
+                        "lang": "eng",
+                        "value": "CWE-601: URL Redirection to Untrusted Site ('Open Redirect')"
+                    }
+                ]
+            }
+        ]
+    },
+    "references": {
+        "reference_data": [
+            {
+                "name": "https://github.com/vercel/next.js/security/advisories/GHSA-vxf5-wxwp-m7g9",
+                "refsource": "CONFIRM",
+                "url": "https://github.com/vercel/next.js/security/advisories/GHSA-vxf5-wxwp-m7g9"
+            },
+            {
+                "name": "https://github.com/vercel/next.js/releases/tag/v11.1.0",
+                "refsource": "MISC",
+                "url": "https://github.com/vercel/next.js/releases/tag/v11.1.0"
+            }
+        ]
+    },
+    "source": {
+        "advisory": "GHSA-vxf5-wxwp-m7g9",
+        "discovery": "UNKNOWN"
    }
 }