Main Vulnerability Database SB2021021911

SB2021021911 - Authentication bypass in NextAuth.js Prisma database adapter

Published: February 19, 2021 Updated: November 21, 2023

Security Bulletin ID SB2021021911

Severity

Medium

Patch available

YES

Number of vulnerabilities 1

Exploitation vector Remote access

Highest impact Information disclosure

Breakdown by Severity

Low
Medium
High
Critical

Description

This security bulletin contains information about 1 security vulnerability.

1) Authentication Bypass by Spoofing (CVE-ID: CVE-2021-21310)

The vulnerability allows a remote attacker to bypass authentication.

The vulnerability exists due to improper authentication in Prisma database adapter, which checks verification token but not the identifier (the email address associated with the token). A remote attacker can bypass authentication process.

Remediation

Install update from vendor's website.

References

https://github.com/nextauthjs/next-auth/releases/tag/v3.3.0
https://github.com/nextauthjs/next-auth/security/advisories/GHSA-pg53-56cg-4m8q