Authentication Bypass by Spoofing in next-auth - CVE-2021-21310
Published: November 21, 2023
Vulnerability identifier: #VU83343
CSH Severity: Medium
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
CVE-ID: CVE-2021-21310
CWE-ID: CWE-290
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vendor: NextAuth.js
Affected software:
next-auth
next-auth
Detailed vulnerability description
The vulnerability allows a remote attacker to bypass authentication.
The vulnerability exists due to improper authentication in Prisma database adapter, which checks verification token but not the identifier (the email address associated with the token). A remote attacker can bypass authentication process.
How to mitigate CVE-2021-21310
Install updates from vendor's website.