Search criteria
12 vulnerabilities found for next.js by zeit
FKIE_CVE-2020-5284
Vulnerability from fkie_nvd - Published: 2020-03-30 22:15 - Updated: 2024-11-21 05:33
Severity ?
4.4 (Medium) - CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:L/I:L/A:N
4.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
4.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Summary
Next.js versions before 9.3.2 have a directory traversal vulnerability. Attackers could craft special requests to access files in the dist directory (.next). This does not affect files outside of the dist directory (.next). In general, the dist directory only holds build assets unless your application intentionally stores other assets under this directory. This issue is fixed in version 9.3.2.
References
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:zeit:next.js:*:*:*:*:*:*:*:*",
"matchCriteriaId": "669B5A80-8554-4573-81A9-BFB5A974B88C",
"versionEndExcluding": "9.3.2",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Next.js versions before 9.3.2 have a directory traversal vulnerability. Attackers could craft special requests to access files in the dist directory (.next). This does not affect files outside of the dist directory (.next). In general, the dist directory only holds build assets unless your application intentionally stores other assets under this directory. This issue is fixed in version 9.3.2."
},
{
"lang": "es",
"value": "Next.js versiones anteriores a 9.3.2, presentan una vulnerabilidad salto de directorio. Los atacantes pueden dise\u00f1ar peticiones especiales para acceder a los archivos en el directorio dist (.next). Esto no afecta a los archivos fuera del directorio dist (.next). En general, el directorio dist solo contiene activos de compilaci\u00f3n a menos que su aplicaci\u00f3n almacene intencionalmente otros activos bajo este directorio. Este problema es corregido en la versi\u00f3n 9.3.2."
}
],
"id": "CVE-2020-5284",
"lastModified": "2024-11-21T05:33:50.007",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 5.0,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 1.3,
"impactScore": 2.7,
"source": "security-advisories@github.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 1.4,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2020-03-30T22:15:15.400",
"references": [
{
"source": "security-advisories@github.com",
"tags": [
"Release Notes"
],
"url": "https://github.com/zeit/next.js/releases/tag/v9.3.2"
},
{
"source": "security-advisories@github.com",
"tags": [
"Third Party Advisory"
],
"url": "https://github.com/zeit/next.js/security/advisories/GHSA-fq77-7p7r-83rj"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Release Notes"
],
"url": "https://github.com/zeit/next.js/releases/tag/v9.3.2"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://github.com/zeit/next.js/security/advisories/GHSA-fq77-7p7r-83rj"
}
],
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-23"
}
],
"source": "security-advisories@github.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-22"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
FKIE_CVE-2018-18282
Vulnerability from fkie_nvd - Published: 2018-10-12 22:29 - Updated: 2024-11-21 03:55
Severity ?
Summary
Next.js 7.0.0 and 7.0.1 has XSS via the 404 or 500 /_error page.
References
| URL | Tags | ||
|---|---|---|---|
| cve@mitre.org | https://github.com/zeit/next.js/releases/tag/7.0.2 | Release Notes, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/zeit/next.js/releases/tag/7.0.2 | Release Notes, Vendor Advisory |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:zeit:next.js:7.0.0:*:*:*:*:*:*:*",
"matchCriteriaId": "5C466D03-29B9-4B8C-A4A3-A3E7FCF2DAE2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:zeit:next.js:7.0.1:*:*:*:*:*:*:*",
"matchCriteriaId": "E2B256AA-3A94-472E-B612-928D79CEE63B",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Next.js 7.0.0 and 7.0.1 has XSS via the 404 or 500 /_error page."
},
{
"lang": "es",
"value": "Next.js 7.0.0 y 7.0.1 tiene Cross-Site Scripting (XSS) mediante las p\u00e1ginas /_error 404 o 500."
}
],
"id": "CVE-2018-18282",
"lastModified": "2024-11-21T03:55:38.550",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
],
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.0"
},
"exploitabilityScore": 2.8,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2018-10-12T22:29:00.763",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Release Notes",
"Vendor Advisory"
],
"url": "https://github.com/zeit/next.js/releases/tag/7.0.2"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Release Notes",
"Vendor Advisory"
],
"url": "https://github.com/zeit/next.js/releases/tag/7.0.2"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
FKIE_CVE-2018-6184
Vulnerability from fkie_nvd - Published: 2018-01-24 10:29 - Updated: 2024-11-21 04:10
Severity ?
Summary
ZEIT Next.js 4 before 4.2.3 has Directory Traversal under the /_next request namespace.
References
| URL | Tags | ||
|---|---|---|---|
| cve@mitre.org | https://github.com/zeit/next.js/releases/tag/4.2.3 | Issue Tracking, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/zeit/next.js/releases/tag/4.2.3 | Issue Tracking, Third Party Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| zeit | next.js | 4.0.0 | |
| zeit | next.js | 4.0.1 | |
| zeit | next.js | 4.0.2 | |
| zeit | next.js | 4.0.3 | |
| zeit | next.js | 4.0.4 | |
| zeit | next.js | 4.0.5 | |
| zeit | next.js | 4.1.0 | |
| zeit | next.js | 4.1.1 | |
| zeit | next.js | 4.1.2 | |
| zeit | next.js | 4.1.3 | |
| zeit | next.js | 4.1.4 | |
| zeit | next.js | 4.1.4 | |
| zeit | next.js | 4.1.4 | |
| zeit | next.js | 4.2.0 | |
| zeit | next.js | 4.2.0 | |
| zeit | next.js | 4.2.1 | |
| zeit | next.js | 4.2.2 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:zeit:next.js:4.0.0:*:*:*:*:*:*:*",
"matchCriteriaId": "FF308D52-C219-4512-85D0-32C99517CC9F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:zeit:next.js:4.0.1:*:*:*:*:*:*:*",
"matchCriteriaId": "C9B097A4-BF26-4D4B-8641-B9C17738B900",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:zeit:next.js:4.0.2:*:*:*:*:*:*:*",
"matchCriteriaId": "864DF585-629C-488A-96A9-61819C5B0A13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:zeit:next.js:4.0.3:*:*:*:*:*:*:*",
"matchCriteriaId": "E746E3A9-C346-468F-92EB-7E8DA7BEFEE9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:zeit:next.js:4.0.4:*:*:*:*:*:*:*",
"matchCriteriaId": "DF82B998-1D5D-433F-BA7C-D6304CF4D5F7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:zeit:next.js:4.0.5:*:*:*:*:*:*:*",
"matchCriteriaId": "D1F0FAA0-5A32-4450-B7A5-71AFB795EE2B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:zeit:next.js:4.1.0:*:*:*:*:*:*:*",
"matchCriteriaId": "F61C3C63-1E69-45D2-BACF-1938699C2DC5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:zeit:next.js:4.1.1:*:*:*:*:*:*:*",
"matchCriteriaId": "304F8CD9-D6D6-406D-9C09-264D619602F4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:zeit:next.js:4.1.2:*:*:*:*:*:*:*",
"matchCriteriaId": "E9CD5807-CC5D-4341-8B66-2255685A3F5A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:zeit:next.js:4.1.3:*:*:*:*:*:*:*",
"matchCriteriaId": "817B6FDF-E2D6-43EF-8728-2FB0D360D65C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:zeit:next.js:4.1.4:*:*:*:*:*:*:*",
"matchCriteriaId": "5BBB30EF-9483-4CFA-AD04-806452FDBAA8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:zeit:next.js:4.1.4:canary_1:*:*:*:*:*:*",
"matchCriteriaId": "4BDEBC17-F520-4949-8C89-B495EA634C2E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:zeit:next.js:4.1.4:canary_2:*:*:*:*:*:*",
"matchCriteriaId": "B9990ABE-3103-4F0A-9719-BB0E2C5E78C4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:zeit:next.js:4.2.0:*:*:*:*:*:*:*",
"matchCriteriaId": "E077A185-C0B9-42B1-986B-90E2AC7C26F2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:zeit:next.js:4.2.0:canary_1:*:*:*:*:*:*",
"matchCriteriaId": "07E3AD57-49F9-4878-A6B1-157504E0CC21",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:zeit:next.js:4.2.1:*:*:*:*:*:*:*",
"matchCriteriaId": "B5683332-125F-4535-9068-EAF5526BD802",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:zeit:next.js:4.2.2:*:*:*:*:*:*:*",
"matchCriteriaId": "93B78182-12B0-4DB3-9762-B7965F182656",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "ZEIT Next.js 4 before 4.2.3 has Directory Traversal under the /_next request namespace."
},
{
"lang": "es",
"value": "ZEIT Next.js 4 en versiones anteriores a la 4.2.3 tiene un salto de directorio bajo el espacio de nombre de petici\u00f3n /_next."
}
],
"id": "CVE-2018-6184",
"lastModified": "2024-11-21T04:10:14.563",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 5.0,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.0"
},
"exploitabilityScore": 3.9,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2018-01-24T10:29:01.020",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Issue Tracking",
"Third Party Advisory"
],
"url": "https://github.com/zeit/next.js/releases/tag/4.2.3"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Issue Tracking",
"Third Party Advisory"
],
"url": "https://github.com/zeit/next.js/releases/tag/4.2.3"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-22"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
FKIE_CVE-2017-16877
Vulnerability from fkie_nvd - Published: 2017-11-17 17:29 - Updated: 2025-04-20 01:37
Severity ?
Summary
ZEIT Next.js before 2.4.1 has directory traversal under the /_next and /static request namespace, allowing attackers to obtain sensitive information.
References
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:zeit:next.js:*:*:*:*:*:*:*:*",
"matchCriteriaId": "AEA4AA2E-BA69-427D-BE80-A17A105F0835",
"versionEndExcluding": "2.4.1",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "ZEIT Next.js before 2.4.1 has directory traversal under the /_next and /static request namespace, allowing attackers to obtain sensitive information."
},
{
"lang": "es",
"value": "ZEIT Next.js en versiones anteriores a la 2.4.1 contiene salto de directorio en el espacio de nombre de petici\u00f3n /_next y /static, lo que permite que los atacantes obtengan informaci\u00f3n sensible."
}
],
"id": "CVE-2017-16877",
"lastModified": "2025-04-20T01:37:25.860",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 5.0,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.0"
},
"exploitabilityScore": 3.9,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2017-11-17T17:29:00.337",
"references": [
{
"source": "cve@mitre.org",
"url": "https://github.com/vercel/next.js/commit/02fe7cf63f6265d73bdaf8bc50a4f2fb539dcd00"
},
{
"source": "cve@mitre.org",
"tags": [
"Third Party Advisory"
],
"url": "https://github.com/zeit/next.js/releases/tag/2.4.1"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://github.com/vercel/next.js/commit/02fe7cf63f6265d73bdaf8bc50a4f2fb539dcd00"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://github.com/zeit/next.js/releases/tag/2.4.1"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Deferred",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-22"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
CVE-2020-5284 (GCVE-0-2020-5284)
Vulnerability from cvelistv5 – Published: 2020-03-30 20:40 – Updated: 2024-08-04 08:22
VLAI?
Title
Directory Traversal in Next.js versions below 9.3.2
Summary
Next.js versions before 9.3.2 have a directory traversal vulnerability. Attackers could craft special requests to access files in the dist directory (.next). This does not affect files outside of the dist directory (.next). In general, the dist directory only holds build assets unless your application intentionally stores other assets under this directory. This issue is fixed in version 9.3.2.
Severity ?
4.4 (Medium)
CWE
- CWE-23 - Relative Path Traversal
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T08:22:09.087Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/zeit/next.js/security/advisories/GHSA-fq77-7p7r-83rj"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/zeit/next.js/releases/tag/v9.3.2"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "next.js",
"vendor": "zeit",
"versions": [
{
"status": "affected",
"version": "\u003c 9.3.2"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Next.js versions before 9.3.2 have a directory traversal vulnerability. Attackers could craft special requests to access files in the dist directory (.next). This does not affect files outside of the dist directory (.next). In general, the dist directory only holds build assets unless your application intentionally stores other assets under this directory. This issue is fixed in version 9.3.2."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-23",
"description": "CWE-23: Relative Path Traversal",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-03-30T20:40:11",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/zeit/next.js/security/advisories/GHSA-fq77-7p7r-83rj"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/zeit/next.js/releases/tag/v9.3.2"
}
],
"source": {
"advisory": "GHSA-fq77-7p7r-83rj",
"discovery": "UNKNOWN"
},
"title": "Directory Traversal in Next.js versions below 9.3.2",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security-advisories@github.com",
"ID": "CVE-2020-5284",
"STATE": "PUBLIC",
"TITLE": "Directory Traversal in Next.js versions below 9.3.2"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "next.js",
"version": {
"version_data": [
{
"version_value": "\u003c 9.3.2"
}
]
}
}
]
},
"vendor_name": "zeit"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Next.js versions before 9.3.2 have a directory traversal vulnerability. Attackers could craft special requests to access files in the dist directory (.next). This does not affect files outside of the dist directory (.next). In general, the dist directory only holds build assets unless your application intentionally stores other assets under this directory. This issue is fixed in version 9.3.2."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-23: Relative Path Traversal"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/zeit/next.js/security/advisories/GHSA-fq77-7p7r-83rj",
"refsource": "CONFIRM",
"url": "https://github.com/zeit/next.js/security/advisories/GHSA-fq77-7p7r-83rj"
},
{
"name": "https://github.com/zeit/next.js/releases/tag/v9.3.2",
"refsource": "MISC",
"url": "https://github.com/zeit/next.js/releases/tag/v9.3.2"
}
]
},
"source": {
"advisory": "GHSA-fq77-7p7r-83rj",
"discovery": "UNKNOWN"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2020-5284",
"datePublished": "2020-03-30T20:40:11",
"dateReserved": "2020-01-02T00:00:00",
"dateUpdated": "2024-08-04T08:22:09.087Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2018-18282 (GCVE-0-2018-18282)
Vulnerability from cvelistv5 – Published: 2018-10-12 22:00 – Updated: 2024-09-16 16:33
VLAI?
Summary
Next.js 7.0.0 and 7.0.1 has XSS via the 404 or 500 /_error page.
Severity ?
No CVSS data available.
CWE
- n/a
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T11:08:21.378Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/zeit/next.js/releases/tag/7.0.2"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Next.js 7.0.0 and 7.0.1 has XSS via the 404 or 500 /_error page."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2018-10-12T22:00:00Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/zeit/next.js/releases/tag/7.0.2"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2018-18282",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Next.js 7.0.0 and 7.0.1 has XSS via the 404 or 500 /_error page."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/zeit/next.js/releases/tag/7.0.2",
"refsource": "MISC",
"url": "https://github.com/zeit/next.js/releases/tag/7.0.2"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2018-18282",
"datePublished": "2018-10-12T22:00:00Z",
"dateReserved": "2018-10-12T00:00:00Z",
"dateUpdated": "2024-09-16T16:33:11.644Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2018-6184 (GCVE-0-2018-6184)
Vulnerability from cvelistv5 – Published: 2018-01-24 10:00 – Updated: 2024-08-05 05:54
VLAI?
Summary
ZEIT Next.js 4 before 4.2.3 has Directory Traversal under the /_next request namespace.
Severity ?
No CVSS data available.
CWE
- n/a
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T05:54:53.307Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/zeit/next.js/releases/tag/4.2.3"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2018-01-24T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "ZEIT Next.js 4 before 4.2.3 has Directory Traversal under the /_next request namespace."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2018-01-24T09:57:01",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/zeit/next.js/releases/tag/4.2.3"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2018-6184",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "ZEIT Next.js 4 before 4.2.3 has Directory Traversal under the /_next request namespace."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/zeit/next.js/releases/tag/4.2.3",
"refsource": "CONFIRM",
"url": "https://github.com/zeit/next.js/releases/tag/4.2.3"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2018-6184",
"datePublished": "2018-01-24T10:00:00",
"dateReserved": "2018-01-24T00:00:00",
"dateUpdated": "2024-08-05T05:54:53.307Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2017-16877 (GCVE-0-2017-16877)
Vulnerability from cvelistv5 – Published: 2017-11-17 17:00 – Updated: 2024-09-17 02:31
VLAI?
Summary
ZEIT Next.js before 2.4.1 has directory traversal under the /_next and /static request namespace, allowing attackers to obtain sensitive information.
Severity ?
No CVSS data available.
CWE
- n/a
Assigner
References
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T20:35:21.292Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://github.com/zeit/next.js/releases/tag/2.4.1"
},
{
"tags": [
"x_transferred"
],
"url": "https://github.com/vercel/next.js/commit/02fe7cf63f6265d73bdaf8bc50a4f2fb539dcd00"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2017-11-17T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "ZEIT Next.js before 2.4.1 has directory traversal under the /_next and /static request namespace, allowing attackers to obtain sensitive information."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-12-07T21:55:37.660177",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"url": "https://github.com/zeit/next.js/releases/tag/2.4.1"
},
{
"url": "https://github.com/vercel/next.js/commit/02fe7cf63f6265d73bdaf8bc50a4f2fb539dcd00"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2017-16877",
"datePublished": "2017-11-17T17:00:00Z",
"dateReserved": "2017-11-17T00:00:00Z",
"dateUpdated": "2024-09-17T02:31:11.770Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2020-5284 (GCVE-0-2020-5284)
Vulnerability from nvd – Published: 2020-03-30 20:40 – Updated: 2024-08-04 08:22
VLAI?
Title
Directory Traversal in Next.js versions below 9.3.2
Summary
Next.js versions before 9.3.2 have a directory traversal vulnerability. Attackers could craft special requests to access files in the dist directory (.next). This does not affect files outside of the dist directory (.next). In general, the dist directory only holds build assets unless your application intentionally stores other assets under this directory. This issue is fixed in version 9.3.2.
Severity ?
4.4 (Medium)
CWE
- CWE-23 - Relative Path Traversal
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T08:22:09.087Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/zeit/next.js/security/advisories/GHSA-fq77-7p7r-83rj"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/zeit/next.js/releases/tag/v9.3.2"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "next.js",
"vendor": "zeit",
"versions": [
{
"status": "affected",
"version": "\u003c 9.3.2"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Next.js versions before 9.3.2 have a directory traversal vulnerability. Attackers could craft special requests to access files in the dist directory (.next). This does not affect files outside of the dist directory (.next). In general, the dist directory only holds build assets unless your application intentionally stores other assets under this directory. This issue is fixed in version 9.3.2."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-23",
"description": "CWE-23: Relative Path Traversal",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-03-30T20:40:11",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/zeit/next.js/security/advisories/GHSA-fq77-7p7r-83rj"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/zeit/next.js/releases/tag/v9.3.2"
}
],
"source": {
"advisory": "GHSA-fq77-7p7r-83rj",
"discovery": "UNKNOWN"
},
"title": "Directory Traversal in Next.js versions below 9.3.2",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security-advisories@github.com",
"ID": "CVE-2020-5284",
"STATE": "PUBLIC",
"TITLE": "Directory Traversal in Next.js versions below 9.3.2"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "next.js",
"version": {
"version_data": [
{
"version_value": "\u003c 9.3.2"
}
]
}
}
]
},
"vendor_name": "zeit"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Next.js versions before 9.3.2 have a directory traversal vulnerability. Attackers could craft special requests to access files in the dist directory (.next). This does not affect files outside of the dist directory (.next). In general, the dist directory only holds build assets unless your application intentionally stores other assets under this directory. This issue is fixed in version 9.3.2."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-23: Relative Path Traversal"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/zeit/next.js/security/advisories/GHSA-fq77-7p7r-83rj",
"refsource": "CONFIRM",
"url": "https://github.com/zeit/next.js/security/advisories/GHSA-fq77-7p7r-83rj"
},
{
"name": "https://github.com/zeit/next.js/releases/tag/v9.3.2",
"refsource": "MISC",
"url": "https://github.com/zeit/next.js/releases/tag/v9.3.2"
}
]
},
"source": {
"advisory": "GHSA-fq77-7p7r-83rj",
"discovery": "UNKNOWN"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2020-5284",
"datePublished": "2020-03-30T20:40:11",
"dateReserved": "2020-01-02T00:00:00",
"dateUpdated": "2024-08-04T08:22:09.087Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2018-18282 (GCVE-0-2018-18282)
Vulnerability from nvd – Published: 2018-10-12 22:00 – Updated: 2024-09-16 16:33
VLAI?
Summary
Next.js 7.0.0 and 7.0.1 has XSS via the 404 or 500 /_error page.
Severity ?
No CVSS data available.
CWE
- n/a
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T11:08:21.378Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/zeit/next.js/releases/tag/7.0.2"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Next.js 7.0.0 and 7.0.1 has XSS via the 404 or 500 /_error page."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2018-10-12T22:00:00Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/zeit/next.js/releases/tag/7.0.2"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2018-18282",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Next.js 7.0.0 and 7.0.1 has XSS via the 404 or 500 /_error page."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/zeit/next.js/releases/tag/7.0.2",
"refsource": "MISC",
"url": "https://github.com/zeit/next.js/releases/tag/7.0.2"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2018-18282",
"datePublished": "2018-10-12T22:00:00Z",
"dateReserved": "2018-10-12T00:00:00Z",
"dateUpdated": "2024-09-16T16:33:11.644Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2018-6184 (GCVE-0-2018-6184)
Vulnerability from nvd – Published: 2018-01-24 10:00 – Updated: 2024-08-05 05:54
VLAI?
Summary
ZEIT Next.js 4 before 4.2.3 has Directory Traversal under the /_next request namespace.
Severity ?
No CVSS data available.
CWE
- n/a
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T05:54:53.307Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/zeit/next.js/releases/tag/4.2.3"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2018-01-24T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "ZEIT Next.js 4 before 4.2.3 has Directory Traversal under the /_next request namespace."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2018-01-24T09:57:01",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/zeit/next.js/releases/tag/4.2.3"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2018-6184",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "ZEIT Next.js 4 before 4.2.3 has Directory Traversal under the /_next request namespace."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/zeit/next.js/releases/tag/4.2.3",
"refsource": "CONFIRM",
"url": "https://github.com/zeit/next.js/releases/tag/4.2.3"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2018-6184",
"datePublished": "2018-01-24T10:00:00",
"dateReserved": "2018-01-24T00:00:00",
"dateUpdated": "2024-08-05T05:54:53.307Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2017-16877 (GCVE-0-2017-16877)
Vulnerability from nvd – Published: 2017-11-17 17:00 – Updated: 2024-09-17 02:31
VLAI?
Summary
ZEIT Next.js before 2.4.1 has directory traversal under the /_next and /static request namespace, allowing attackers to obtain sensitive information.
Severity ?
No CVSS data available.
CWE
- n/a
Assigner
References
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T20:35:21.292Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://github.com/zeit/next.js/releases/tag/2.4.1"
},
{
"tags": [
"x_transferred"
],
"url": "https://github.com/vercel/next.js/commit/02fe7cf63f6265d73bdaf8bc50a4f2fb539dcd00"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2017-11-17T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "ZEIT Next.js before 2.4.1 has directory traversal under the /_next and /static request namespace, allowing attackers to obtain sensitive information."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-12-07T21:55:37.660177",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"url": "https://github.com/zeit/next.js/releases/tag/2.4.1"
},
{
"url": "https://github.com/vercel/next.js/commit/02fe7cf63f6265d73bdaf8bc50a4f2fb539dcd00"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2017-16877",
"datePublished": "2017-11-17T17:00:00Z",
"dateReserved": "2017-11-17T00:00:00Z",
"dateUpdated": "2024-09-17T02:31:11.770Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}