ghsa-pg53-56cg-4m8q
Vulnerability from github
Published
2021-02-11 21:36
Modified
2021-02-22 20:43
Summary
Token verification bug in next-auth
Details

Impact

Implementations using the Prisma database adapter with the Email provider are impacted.

Implementations using the Prisma database adapter that are not using the Email provider are not impacted. Implementations using the default database adapter (TypeORM) with the Email provider are not impacted. Implementations not using a database are not impacted.

Patches

This issue is fixed in 3.3.0 and newer versions.

Workarounds

Those not able to upgrade can alternatively disable the Email provider as a workaround.

Description

The Prisma database adapter was checking the verification token but not the identifier (the email address associated with the token). This made it possible to use a valid token assigned to one user, to sign in as another user when using the Prima adapter in conjunction with the Email provider. The defect is specific to the community-supported Prisma database adapter in versions <3.3.0 and is not present in the default database adapter (TypeORM).

Note: The current community-supported adapter was not developed by Prisma.

The defect was a problem in the implementation of verification function the adapter and is not directly related to Prisma.

The flaw may exist in other third party database adapters that do not check both the identifier and token values.

The design of the database adapter API may be revised in future to help reduce the likelyhood of similar defects.

Timeline

On Monday (2021-02-08) we were notified via responsible disclosure by Alessandro Angelino (@AlessandroA) of a flaw in the implementation of the Prisma database adapter included with NextAuth.js. A detailed write up and proof of concept were provided.

The following day (2021-02-09) we published a fix in v3.3.0 and confirmed through internal testing, and with Alessandro, that the issue was resolved in the new release and prompted users to upgrade.

On 2021-02-10 we received a CVE ID and published this advisory within a few hours of notification.

We would like to thank Alessandro for using responsible disclose to allow us to address the issue promptly and publish this advisory once an update was available that resolved the issue and Balázs Orbán (@balazsorban44) for facilitating a timely release of the fix.

Show details on source website

To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "next-auth"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "3.3.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2021-21310"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-290"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2021-02-11T21:36:12Z",
    "nvd_published_at": "2021-02-11T22:15:00Z",
    "severity": "LOW"
  },
  "details": "### Impact\n\nImplementations using the **Prisma database adapter** with the **Email provider** **are impacted**.\n\nImplementations using the Prisma database adapter that are not using the Email provider are not impacted.\nImplementations using the default database adapter (TypeORM) with the Email provider are not impacted.\nImplementations not using a database are not impacted.\n\n### Patches\n\nThis issue is fixed in 3.3.0 and newer versions.\n\n### Workarounds\n\nThose not able to upgrade can alternatively disable the Email provider as a workaround.\n\n### Description\n\nThe Prisma database adapter was checking the verification token but not the identifier (the email address associated with the token). This made it possible to use a valid token assigned to one user, to sign in as another user when using the Prima adapter in conjunction with the Email provider. The defect is specific to the community-supported Prisma database adapter in versions \u003c3.3.0 and is not present in the default database adapter (TypeORM).\n\n*Note:  The current community-supported adapter was not developed by Prisma.*\n\nThe defect was a problem in the implementation of verification function the adapter and is not directly related to Prisma.\n\nThe flaw may exist in other third party database adapters that do not check both the identifier and token values.\n\nThe design of the database adapter API may be revised in future to help reduce the likelyhood of similar defects.\n\n### Timeline\n\nOn Monday (2021-02-08) we were notified via responsible disclosure by Alessandro Angelino (@AlessandroA) of a flaw in the implementation of the Prisma database adapter included with NextAuth.js. A detailed write up and proof of concept were provided.\n\nThe following day (2021-02-09) we published a fix in v3.3.0 and confirmed through internal testing, and with Alessandro, that the issue was resolved in the new release and prompted users to upgrade.\n\nOn 2021-02-10 we received a CVE ID and published this advisory within a few hours of notification.\n\nWe would like to thank Alessandro for using responsible disclose to allow us to address the issue promptly and publish this advisory once an update was available that resolved the issue and Bal\u00e1zs Orb\u00e1n (@balazsorban44) for facilitating a timely release of the fix.",
  "id": "GHSA-pg53-56cg-4m8q",
  "modified": "2021-02-22T20:43:03Z",
  "published": "2021-02-11T21:36:24Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/nextauthjs/next-auth/security/advisories/GHSA-pg53-56cg-4m8q"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-21310"
    },
    {
      "type": "WEB",
      "url": "https://github.com/nextauthjs/next-auth/releases/tag/v3.3.0"
    },
    {
      "type": "WEB",
      "url": "https://www.npmjs.com/package/next-auth"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [],
  "summary": "Token verification bug in next-auth"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.