CVE-2022-29172 - Vulnerability Details

Vendors	Products
Auth0	Lock

Link	Providers
https://github.com/auth0/lock/commit/79ae557d331274b114848150f19832ae341771b1
https://github.com/auth0/lock/security/advisories/GHSA-7ww6-75fj-jcj7

{"containers": {"cna": {"affected": [{"product": "lock", "vendor": "auth0", "versions": [{"status": "affected", "version": "< 11.33.0"}]}], "descriptions": [{"lang": "en", "value": "Auth0 is an authentication broker that supports both social and enterprise identity providers, including Active Directory, LDAP, Google Apps, and Salesforce. In versions before `11.33.0`, when the \u201cadditional signup fields\u201d feature [is configured](https://github.com/auth0/lock#additional-sign-up-fields), a malicious actor can inject invalidated HTML code into these additional fields, which is then stored in the service `user_metdata` payload (using the `name` property). Verification emails, when applicable, are generated using this metadata. It is therefor possible for an actor to craft a malicious link by injecting HTML, which is then rendered as the recipient's name within the delivered email template. You are impacted by this vulnerability if you are using `auth0-lock` version `11.32.2` or lower and are using the \u201cadditional signup fields\u201d feature in your application. Upgrade to version `11.33.0`."}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-79", "description": "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2022-05-05T22:50:09", "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M"}, "references": [{"tags": ["x_refsource_CONFIRM"], "url": "https://github.com/auth0/lock/security/advisories/GHSA-7ww6-75fj-jcj7"}, {"tags": ["x_refsource_MISC"], "url": "https://github.com/auth0/lock/commit/79ae557d331274b114848150f19832ae341771b1"}], "source": {"advisory": "GHSA-7ww6-75fj-jcj7", "discovery": "UNKNOWN"}, "title": "HTML injection with additional signup fields", "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "security-advisories@github.com", "ID": "CVE-2022-29172", "STATE": "PUBLIC", "TITLE": "HTML injection with additional signup fields"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "lock", "version": {"version_data": [{"version_value": "< 11.33.0"}]}}]}, "vendor_name": "auth0"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "Auth0 is an authentication broker that supports both social and enterprise identity providers, including Active Directory, LDAP, Google Apps, and Salesforce. In versions before `11.33.0`, when the \u201cadditional signup fields\u201d feature [is configured](https://github.com/auth0/lock#additional-sign-up-fields), a malicious actor can inject invalidated HTML code into these additional fields, which is then stored in the service `user_metdata` payload (using the `name` property). Verification emails, when applicable, are generated using this metadata. It is therefor possible for an actor to craft a malicious link by injecting HTML, which is then rendered as the recipient's name within the delivered email template. You are impacted by this vulnerability if you are using `auth0-lock` version `11.32.2` or lower and are using the \u201cadditional signup fields\u201d feature in your application. Upgrade to version `11.33.0`."}]}, "impact": {"cvss": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}]}, "references": {"reference_data": [{"name": "https://github.com/auth0/lock/security/advisories/GHSA-7ww6-75fj-jcj7", "refsource": "CONFIRM", "url": "https://github.com/auth0/lock/security/advisories/GHSA-7ww6-75fj-jcj7"}, {"name": "https://github.com/auth0/lock/commit/79ae557d331274b114848150f19832ae341771b1", "refsource": "MISC", "url": "https://github.com/auth0/lock/commit/79ae557d331274b114848150f19832ae341771b1"}]}, "source": {"advisory": "GHSA-7ww6-75fj-jcj7", "discovery": "UNKNOWN"}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T06:17:53.986Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://github.com/auth0/lock/security/advisories/GHSA-7ww6-75fj-jcj7"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/auth0/lock/commit/79ae557d331274b114848150f19832ae341771b1"}]}]}, "cveMetadata": {"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "assignerShortName": "GitHub_M", "cveId": "CVE-2022-29172", "datePublished": "2022-05-05T22:50:09", "dateReserved": "2022-04-13T00:00:00", "dateUpdated": "2024-08-03T06:17:53.986Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:auth0:lock:*:*:*:*:*:node.js:*:*", "matchCriteriaId": "CFD2AD83-48BA-494A-80F6-79E53F168CFB", "versionEndExcluding": "11.33.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "Auth0 is an authentication broker that supports both social and enterprise identity providers, including Active Directory, LDAP, Google Apps, and Salesforce. In versions before `11.33.0`, when the \u201cadditional signup fields\u201d feature [is configured](https://github.com/auth0/lock#additional-sign-up-fields), a malicious actor can inject invalidated HTML code into these additional fields, which is then stored in the service `user_metdata` payload (using the `name` property). Verification emails, when applicable, are generated using this metadata. It is therefor possible for an actor to craft a malicious link by injecting HTML, which is then rendered as the recipient's name within the delivered email template. You are impacted by this vulnerability if you are using `auth0-lock` version `11.32.2` or lower and are using the \u201cadditional signup fields\u201d feature in your application. Upgrade to version `11.33.0`."}, {"lang": "es", "value": "Auth0 es un broker de autenticaci\u00f3n que soporta proveedores de identidad social y empresarial, incluyendo Active Directory, LDAP, Google Apps y Salesforce. En las versiones anteriores a \"11.33.0\", cuando la funcionalidad \"additional signup fields\" [est\u00e1 configurada] (https://github.com/auth0/lock#additional-sign-up-fields), un actor malicioso puede inyectar c\u00f3digo HTML inv\u00e1lido en estos campos adicionales, que luego es almacenado en la carga \u00fatil del servicio \"user_metdata\" (usando la propiedad \"name\"). Los correos electr\u00f3nicos de verificaci\u00f3n, cuando son aplicados, son generados usando estos metadatos. Por lo tanto, es posible que un actor dise\u00f1e un enlace malicioso inyectando HTML, que luego es presentado como el nombre del destinatario dentro de la plantilla de correo electr\u00f3nico entregada. Esta vulnerabilidad le afecta si usa la versi\u00f3n \"auth0-lock\" o inferior y usa la funcionalidad de \"additional signup fields\" en su aplicaci\u00f3n. Actualice a versi\u00f3n \"11.33.0\""}], "id": "CVE-2022-29172", "lastModified": "2024-11-21T06:58:38.247", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "LOW", "cvssData": {"accessComplexity": "HIGH", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 2.6, "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:H/Au:N/C:N/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 4.9, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": true}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 2.7, "source": "security-advisories@github.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 2.7, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2022-05-05T23:15:09.150", "references": [{"source": "security-advisories@github.com", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/auth0/lock/commit/79ae557d331274b114848150f19832ae341771b1"}, {"source": "security-advisories@github.com", "tags": ["Third Party Advisory"], "url": "https://github.com/auth0/lock/security/advisories/GHSA-7ww6-75fj-jcj7"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/auth0/lock/commit/79ae557d331274b114848150f19832ae341771b1"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "https://github.com/auth0/lock/security/advisories/GHSA-7ww6-75fj-jcj7"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "security-advisories@github.com", "type": "Secondary"}, {"description": [{"lang": "en", "value": "CWE-79"}], "source": "nvd@nist.gov", "type": "Secondary"}]}

Metrics

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Changed

Confidentiality Impact Low

Integrity Impact Low

Availability Impact None

User Interaction Required

Access Vector Network

Access Complexity High

Authentication None

Confidentiality Impact None

Integrity Impact Partial

Availability Impact None

Affected Vendors & Products

Metrics

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Changed

Confidentiality Impact Low

Integrity Impact Low

Availability Impact None

User Interaction Required

Access Vector Network

Access Complexity High

Authentication None

Confidentiality Impact None

Integrity Impact Partial

Availability Impact None

Affected Vendors & Products

JSON object

JSON object

JSON object

JSON object