Acunetix DAST powers runtime capabilities for Invicti’s complete AppSec platform. Visit Invicti for more.

WEB APPLICATION VULNERABILITIES SCA (Software Composition Analysis)

CVE-2020-5284 Vulnerability in npm package next

Description

Next.js versions before 9.3.2 have a directory traversal vulnerability. Attackers could craft special requests to access files in the dist directory (.next). This does not affect files outside of the dist directory (.next). In general, the dist directory only holds build assets unless your application intentionally stores other assets under this directory. This issue is fixed in version 9.3.2.

Remediation

References

https://github.com/zeit/next.js/releases/tag/v9.3.2

https://github.com/zeit/next.js/security/advisories/GHSA-fq77-7p7r-83rj

Related Vulnerabilities

CVE-2021-23784 Vulnerability in npm package tempura

CVE-2020-13973 Vulnerability in maven package com.mikesamuel:json-sanitizer

CVE-2017-16118 Vulnerability in maven package org.webjars.npm:forwarded

CVE-2019-19771 Vulnerability in npm package crytpo-js

CVE-2023-30532 Vulnerability in maven package org.jenkinsci.plugins.spoonscript:spoonscript

Severity

Medium

Classification

CWE-23 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

Tags

Release Notes Third Party Advisory