SCA: security update for next-auth (GHSA-pg53-56cg-4m8q)

medium Tenable Self-Hosted Container Security Plugin ID 417501

Description

There are packages installed that are affected by a vulnerability referenced in the following CVE:

- NextAuth.js (next-auth) is am open source authentication solution for Next.js applications. In next-auth
before version 3.3.0 there is a token verification vulnerability. Implementations using the Prisma
database adapter in conjunction with the Email provider are impacted. Implementations using the Email
provider with the default database adapter are not impacted. Implementations using the Prisma database
adapter but not using the Email provider are not impacted. The Prisma database adapter was checking the
verification token, but was not verifying the email address associated with that token. This made it
possible to use a valid token to sign in as another user when using the Prima adapter in conjunction with
the Email provider. This issue is specific to the community supported Prisma adapter. This issue is fixed
in version 3.3.0. (CVE-2021-21310)

See Also

https://github.com/advisories/GHSA-pg53-56cg-4m8q

Plugin Details

Severity: Medium

ID: 417501

Version: Revision 1.5

Type: Local

Family: SCA Checks

Published: 1/23/2025

Updated: 7/2/2026

Supported Sensors: Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: Low

Score: 3

Percentile: 23.18

Vendor

Vendor Severity: Low

CVSS v2

Risk Factor: Medium

Base Score: 4.3

Temporal Score: 3.4

Vector: CVSS2#AV:N/AC:M/Au:N/C:P/I:N/A:N

CVSS Score Source: CVE-2021-21310

CVSS v3

Risk Factor: Medium

Base Score: 5.9

Temporal Score: 5.3

Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N

Temporal Vector: CVSS:3.0/E:P/RL:O/RC:C

Vulnerability Information

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 2/11/2021

Vulnerability Publication Date: 2/11/2021

Reference Information

CVE: CVE-2021-21310

cwe: CWE-290