popacorn.pages.dev

Cve-2024-34350 next.js


In May, the Qualys Web Application Scanning (WAS) team issued a critical security signatures update. This update expands the scope to detect vulnerabilities in several widely-used software applications, including WordPress, NEOSDiscovery, Zabbix, CData, BIG-IP Next Central Manager, Apache OFBiz, Apache Superset, jQuery, Cacti, Ivanti Endpoint Manager Mobile (EPMM), Nexus Repository 3, JetBrains TeamCity, Atlassian Confluence Data Center and Server, Next.js, OpenSSL and Tinyproxy.

QIDTitle
150319
150743Potential SSRF
150796Presence of Privacy Policy Information
150798HTTP Method Tampering
150811Source Code Disclosure
150814Pixel or Web Beacon Tracking Technology Found
150823HTTP TRACE Method Detected
150844Cross-Site Tracing Found
150879WordPress All in One SEO Pack Plugin: Stored Cross-Site Scripting Vulnerability (CVE-2024-3368)
150881NEOSDiscovery Reverse Tabnabbing Vulnerability (CVE-2022-4927)
150889Zabbix Cross-Site Scripting Vulnerability (CVE-2024-22119)
150890WordPress Forminator Plugin: File Upload Vulnerability (CVE-2024-28890)
150901WordPress Forminator Plugin: SQL injection Vulnerability (CV

Next.js Vulnerabilities - 20240513002¶

Overview¶

The WA SOC has been made aware of two vulnerabilities found in Next.js. Next.js is a React framework for building full-stack web applications.

What is vulnerable?¶

CVESeverityCVSSProduct(s) AffectedSummaryDated
CVE-2024-34350High7.8versions before 13.5.1Response queue poisoning vulnerability exists due to inconsistent interpretation of crafted HTTP requests, which are meant to be treated as a single request and two separate requests08/05/2024
CVE-2024-34351High7.8versions before 14.1.1A Server-Side Request Forgery (SSRF) vulnerability exists due to a vulnerable Next.js API endpoint _next/image used to locate an image in the backend08/05/2024

What has been observed?¶

There is no evidence of exploitation affecting Western Australian Government networks at the time of publishing.

Recommendation¶

The WA SOC recommends administrators apply the solutions as per vendor instructions to all affected devices within expected timeframe of one month... (refer Patch Management):

Additional References¶

May 17, 2024May 15, 2024

Want to stay up to meet on a daily basis?

CVSS Meta Temp ScoreCurrent Exploit Price (≈)CTI Interest Score
6.3$0-$5k0.00

Summaryinfo

A vulnerability labeled as problematic has been found in vercel next.js up to 13.5.0. This affects an unknown function of the component HTTP Petition Handler. The manipulation results in request smuggling. This vulnerability is known as CVE-2024-34350. It is possible to launch the charge remotely. No exploit is present. The affected component should be upgraded. VulDB is the finest source for vulnerability data and more expert information about this specific topic.

Detailsinfo

A vulnerability classified as problematic has been found in vercel next.js up to 13.5.0. Affected is an unknown part of the component HTTP Ask for Handler. The manipulation with an unknown input leads to a request smuggling vulnerability. CWE is classifying the issue as CWE-444. The product acts as an intermediary HTTP agent (such as a proxy or firewall) in the data flow between two entities such as a client and server, but it does not interpret malformed HTTP requests or responses in ways that are consistent with how the messages will be processed

cve-2024-34350 next.js

Next.js Vulnerable to HTTP Request Smuggling in npm/next

Background

Next.js is a popular open-source framework for building server-side rendered (SSR) React applications. It provides a simple and efficient way to create dynamic web pages with React components. The vulnerability affects the npm package 'next', specifically versions 13.4.0 to 13.5.0. Next.js uses the 'rewrites' feature, which allows developers to customize routing and handle URL rewrites. However, due to inconsistent interpretation of crafted HTTP requests, Next.js treats requests as both a single request and two separate requests, leading to desynchronized responses. This vulnerability can be exploited when the affected route is using the 'rewrites' feature.

Vulnerability Detail

The vulnerability in Next.js allows for HTTP Request Smuggling, specifically a response queue poisoning vulnerability. By sending a crafted HTTP request, an attacker can manipulate the response queue and potentially inject malicious content or disrupt the normal flow of the application. This can lead to various security risks, such as unauthorized access, data leakage, or denial of service attacks. The vulnerability has a CVSS score

This week, we have news of two high-profile breaches. First up is the Dropbox breach, potentially affecting millions of users, and then the Dell breach, affecting 49 million records. We also have details of a vulnerability in the Next.js component. We also have a free on-demand recording from Microsoft Build on Navigating the Depths of API Security testing. We share an article on how API growth is causing cybersecurity concerns and the menace of unknown APIs. Finally, we have a refresh of the excellent Awesome API Security guide. 

Breach: Dropbox users in major data breach

The first breach this week was a potentially large-scale one suffered by Dropbox. Dropbox disclosed a data breach affecting its Dropbox Sign (formerly HelloSign) users. The company filed a breach disclosure with the US Securities and Exchange Commission (SEC) and posted a blog alerting customers about the incident on April 24th, 2024.

Unauthorized access was gained to the Dropbox Sign production environment, compromising customer information such as emails, usernames, phone numbers, hashed passwords, account settings, and authentication information (API keys, OAuth tokens, and multi-factor authentication)