Description

Next.js versions before 9.3.2 have a directory traversal vulnerability. Attackers could craft special requests to access files in the dist directory (.next). This does not affect files outside of the dist directory (.next). In general, the dist directory only holds build assets unless your application intentionally stores other assets under this directory. This issue is fixed in version 9.3.2.

Remediation

References

CVE-2020-5284

Related Vulnerabilities

WordPress Plugin Ultimate Member-User Profile, Registration, Login, Member Directory, Content Restriction & Membership Cross-Site Scripting (2.8.4)

PHP Permissions, Privileges, and Access Controls Vulnerability (CVE-2012-0057)

Apache HTTP Server Resource Management Errors Vulnerability (CVE-2007-6423)

Oracle JRE CVE-2018-2639 Vulnerability (CVE-2018-2639)

Dolibarr Exposure of Sensitive Information to an Unauthorized Actor Vulnerability (CVE-2017-17898)

Severity

Medium

Classification

CVE-2020-5284 CWE-22 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

Tags

Missing Update Known Vulnerabilities