search

pferron / Case144951-2

0 stars 0 forks source link

CVE-2024-47831 (Medium) detected in next-12.3.4.tgz #15

Open mend-for-github-com[bot] opened 1 day ago

mend-for-github-com[bot] commented 1 day ago

CVE-2024-47831 - Medium Severity Vulnerability

Vulnerable Library - next-12.3.4.tgz

The React Framework

Library home page: https://registry.npmjs.org/next/-/next-12.3.4.tgz

Path to dependency file: /package.json

Path to vulnerable library: /package.json

Dependency Hierarchy: - @cvent/planner-event-hubs-5.10.8.tgz (Root Library) - @cvent/shared-core-events-ui-1.10.28.tgz - :x: **next-12.3.4.tgz** (Vulnerable Library)

Found in HEAD commit: 76c480313a5477fafa2e95a627397a20f19acfdb

Found in base branch: main

Vulnerability Details

Next.js is a React Framework for the Web. Cersions on the 10.x, 11.x, 12.x, 13.x, and 14.x branches before version 14.2.7 contain a vulnerability in the image optimization feature which allows for a potential Denial of Service (DoS) condition which could lead to excessive CPU consumption. Neither the `next.config.js` file that is configured with `images.unoptimized` set to `true` or `images.loader` set to a non-default value nor the Next.js application that is hosted on Vercel are affected. This issue was fully patched in Next.js `14.2.7`. As a workaround, ensure that the `next.config.js` file has either `images.unoptimized`, `images.loader` or `images.loaderFile` assigned.

Publish Date: 2024-10-14

URL: CVE-2024-47831

Threat Assessment

Exploit Maturity: Not Defined

EPSS: 0.0%

CVSS 3 Score Details (5.9)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: High - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://github.com/vercel/next.js/security/advisories/GHSA-g77x-44xx-532m

Release Date: 2024-10-14

Fix Resolution: next - 14.2.7

mend-for-github-com[bot] commented 1 day ago

:heavy_check_mark: This issue was automatically closed by Mend because the vulnerable library in the specific branch(es) was either marked as ignored or it is no longer part of the Mend inventory.

mend-for-github-com[bot] commented 1 day ago

:information_source: This issue was automatically re-opened by Mend because the vulnerable library in the specific branch(es) has been detected in the Mend inventory.