nvd-json-data-feeds/CVE-2021/CVE-2021-376xx/CVE-2021-37699.json

{
  "id": "CVE-2021-37699",
  "sourceIdentifier": "security-advisories@github.com",
  "published": "2021-08-12T00:15:06.997",
  "lastModified": "2021-08-20T12:46:09.257",
  "vulnStatus": "Analyzed",
  "descriptions": [
    {
      "lang": "en",
      "value": "Next.js is an open source website development framework to be used with the React library. In affected versions specially encoded paths could be used when pages/_error.js was statically generated allowing an open redirect to occur to an external site. In general, this redirect does not directly harm users although can allow for phishing attacks by redirecting to an attacker's domain from a trusted domain. We recommend everyone to upgrade regardless of whether you can reproduce the issue or not. The issue has been patched in release 11.1.0."
    },
    {
      "lang": "es",
      "value": "Next.js es un marco de desarrollo de sitios web de c\u00f3digo abierto que se utilizar\u00e1 con la biblioteca React. En las versiones afectadas, rutas especialmente codificadas podr\u00edan ser usadas cuando pages/_error.js se generaron est\u00e1ticamente, lo que permite que se produzca un redireccionamiento abierto a un sitio externo. En general, esta redirecci\u00f3n no da\u00f1a directamente a los usuarios, aunque puede permitir ataques de phishing al redirigir al dominio de un atacante desde un dominio de confianza. Recomendamos a todos que se actualicen, independientemente de si pueden reproducir el problema o no. El problema se corrigi\u00f3 en la versi\u00f3n 11.1.0"
    }
  ],
  "metrics": {
    "cvssMetricV31": [
      {
        "source": "nvd@nist.gov",
        "type": "Primary",
        "cvssData": {
          "version": "3.1",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
          "attackVector": "NETWORK",
          "attackComplexity": "LOW",
          "privilegesRequired": "NONE",
          "userInteraction": "REQUIRED",
          "scope": "CHANGED",
          "confidentialityImpact": "LOW",
          "integrityImpact": "LOW",
          "availabilityImpact": "NONE",
          "baseScore": 6.1,
          "baseSeverity": "MEDIUM"
        },
        "exploitabilityScore": 2.8,
        "impactScore": 2.7
      },
      {
        "source": "security-advisories@github.com",
        "type": "Secondary",
        "cvssData": {
          "version": "3.1",
          "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:L/A:N",
          "attackVector": "NETWORK",
          "attackComplexity": "HIGH",
          "privilegesRequired": "NONE",
          "userInteraction": "REQUIRED",
          "scope": "CHANGED",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "LOW",
          "availabilityImpact": "NONE",
          "baseScore": 6.9,
          "baseSeverity": "MEDIUM"
        },
        "exploitabilityScore": 1.6,
        "impactScore": 4.7
      }
    ],
    "cvssMetricV2": [
      {
        "source": "nvd@nist.gov",
        "type": "Primary",
        "cvssData": {
          "version": "2.0",
          "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:N",
          "accessVector": "NETWORK",
          "accessComplexity": "MEDIUM",
          "authentication": "NONE",
          "confidentialityImpact": "PARTIAL",
          "integrityImpact": "PARTIAL",
          "availabilityImpact": "NONE",
          "baseScore": 5.8
        },
        "baseSeverity": "MEDIUM",
        "exploitabilityScore": 8.6,
        "impactScore": 4.9,
        "acInsufInfo": false,
        "obtainAllPrivilege": false,
        "obtainUserPrivilege": false,
        "obtainOtherPrivilege": false,
        "userInteractionRequired": true
      }
    ]
  },
  "weaknesses": [
    {
      "source": "nvd@nist.gov",
      "type": "Primary",
      "description": [
        {
          "lang": "en",
          "value": "CWE-601"
        }
      ]
    },
    {
      "source": "security-advisories@github.com",
      "type": "Secondary",
      "description": [
        {
          "lang": "en",
          "value": "CWE-601"
        }
      ]
    }
  ],
  "configurations": [
    {
      "nodes": [
        {
          "operator": "OR",
          "negate": false,
          "cpeMatch": [
            {
              "vulnerable": true,
              "criteria": "cpe:2.3:a:vercel:next.js:*:*:*:*:*:node.js:*:*",
              "versionStartIncluding": "10.0.5",
              "versionEndIncluding": "10.2.0",
              "matchCriteriaId": "C481055F-BB50-454C-80B1-FD43CFC52896"
            },
            {
              "vulnerable": true,
              "criteria": "cpe:2.3:a:vercel:next.js:*:*:*:*:*:node.js:*:*",
              "versionStartIncluding": "11.0.0",
              "versionEndIncluding": "11.0.1",
              "matchCriteriaId": "3A87C693-B910-4DD7-847A-2C5421BB06B2"
            }
          ]
        }
      ]
    }
  ],
  "references": [
    {
      "url": "https://github.com/vercel/next.js/releases/tag/v11.1.0",
      "source": "security-advisories@github.com",
      "tags": [
        "Release Notes",
        "Third Party Advisory"
      ]
    },
    {
      "url": "https://github.com/vercel/next.js/security/advisories/GHSA-vxf5-wxwp-m7g9",
      "source": "security-advisories@github.com",
      "tags": [
        "Third Party Advisory"
      ]
    }
  ]
}