CVE-2022-23646 (High) detected in next-10.2.3.tgz #886
Comments
|
👋 Thanks for reporting! |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
{{ message }}
CVE-2022-23646 - High Severity Vulnerability
The React Framework
Library home page: https://registry.npmjs.org/next/-/next-10.2.3.tgz
Path to dependency file: /tilt_modules/tilt_inspector/package.json
Path to vulnerable library: /tilt_modules/tilt_inspector/node_modules/next/package.json
Dependency Hierarchy:
Found in HEAD commit: db90168d76823eb927283f83cb3173cd9cf16599
Found in base branch: master
Next.js is a React framework. Starting with version 10.0.0 and prior to version 12.1.0, Next.js is vulnerable to User Interface (UI) Misrepresentation of Critical Information. In order to be affected, the
next.config.jsfile must have animages.domainsarray assigned and the image host assigned inimages.domainsmust allow user-provided SVG. If thenext.config.jsfile hasimages.loaderassigned to something other than default, the instance is not affected. Version 12.1.0 contains a patch for this issue. As a workaround, changenext.config.jsto use a differentloader configurationother than the default.Publish Date: 2022-02-17
URL: CVE-2022-23646
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: High
- Availability Impact: None
For more information on CVSS3 Scores, click here.Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-23646
Release Date: 2022-02-17
Fix Resolution: next - 12.1.0
Step up your Open Source Security Game with Mend here
The text was updated successfully, but these errors were encountered: