Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS1qcXhyLXZqdnYtODk5bc4AAz2U
@keystone-6/auth Open Redirect vulnerability
Summary
There is an open redirect in the @keystone-6/auth
package, where the redirect leading /
filter can be bypassed.
Impact
Users may be redirected to domains other than the relative host, thereby it might be used by attackers to re-direct users to an unexpected location.
Mitigations
- Don't use the
@keystone-6/auth
package
References
- CWE-601: URL Redirection to Untrusted Site ('Open Redirect')
- OWASP: Unvalidated Redirects and Forwards Cheat Sheet
Similar Vulnerability Reports
Credits
Thanks to morioka12 for reporting this problem.
If you have any questions around this security advisory, please don't hesitate to contact us at [email protected], or open an issue on GitHub.
If you have a security flaw to report for any software in this repository, please see our SECURITY policy.
Permalink: https://github.com/advisories/GHSA-jqxr-vjvv-899mJSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1qcXhyLXZqdnYtODk5bc4AAz2U
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: 11 months ago
Updated: 6 months ago
CVSS Score: 6.1
CVSS vector: CVSS:3.1/AV:A/AC:L/PR:L/UI:R/S:C/C:N/I:H/A:N
Identifiers: GHSA-jqxr-vjvv-899m, CVE-2023-34247
References:
- https://github.com/keystonejs/keystone/security/advisories/GHSA-jqxr-vjvv-899m
- https://nvd.nist.gov/vuln/detail/CVE-2023-34247
- https://github.com/keystonejs/keystone/pull/8626
- https://github.com/advisories/GHSA-jqxr-vjvv-899m
Blast Radius: 12.5
Affected Packages
npm:@keystone-6/auth
Dependent packages: 4Dependent repositories: 110
Downloads: 111,257 last month
Affected Version Ranges: < 7.0.0
Fixed in: 7.0.0
All affected versions: 1.0.0, 1.0.1, 1.0.2, 2.0.0, 3.0.0, 4.0.0, 4.0.1, 5.0.0, 5.0.1, 6.0.0
All unaffected versions: 7.0.0, 7.0.1, 7.0.2, 7.0.3, 8.0.0