6.1

CVSS Score

Basic Information

CVE ID

CVE-2023-34247

GHSA ID

GHSA-jqxr-vjvv-899m

EPSS Score

CWE

CWE-601

Published

6/14/2023

Updated

11/4/2023

KEV Status

Technology

JavaScript

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2023-34247

CVE-2023-34247:
@keystone-6/auth Open Redirect vulnerability

Summary

There is an open redirect in the @keystone-6/auth package, where the redirect leading / filter can be bypassed.

Impact

Users may be redirected to domains other than the relative host, thereby it might be used by attackers to re-direct users to an unexpected location.

Mitigations

Don't use the @keystone-6/auth package

References

Similar Vulnerability Reports

Credits

Thanks to morioka12 for reporting this problem.

If you have any questions around this security advisory, please don't hesitate to contact us at security@keystonejs.com, or open an issue on GitHub.

If you have a security flaw to report for any software in this repository, please see our SECURITY policy.

(GitHub Advisory)

6.1

CVSS Score

Basic Information

CVE ID

CVE-2023-34247

GHSA ID

GHSA-jqxr-vjvv-899m

EPSS Score

CWE

CWE-601

Published

6/14/2023

Updated

11/4/2023

KEV Status

Technology

JavaScript

Technical Details

CVSS Vector

CVSS:3.1/AV:A/AC:L/PR:L/UI:R/S:C/C:N/I:H/A:N

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
@keystone-6/auth	npm	< 7.0.0	7.0.0

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability was explicitly addressed by removing redirect functionality in PR #8626. The commit messages and PR title indicate the redirect logic in authentication flows was the attack surface. Open redirect vulnerabilities typically involve improper validation of URL parameters in redirection handlers, which aligns with the CWE-601 description and the mitigation strategy of removing the feature entirely.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

### Summ*ry T**r* is *n op*n r**ir**t in t** `@k*yston*-*/*ut*` p**k***, w**r* t** r**ir**t l***in* `/` *ilt*r **n ** *yp*ss**. ### Imp**t Us*rs m*y ** r**ir**t** to *om*ins ot**r t**n t** r*l*tiv* *ost, t**r**y it mi**t ** us** *y *tt**k*rs to r*-*

Reasoning

T** vuln*r**ility w*s *xpli*itly ***r*ss** *y r*movin* r**ir**t *un*tion*lity in PR #****. T** *ommit m*ss***s *n* PR titl* in*i**t* t** r**ir**t lo*i* in *ut**nti**tion *lows w*s t** *tt**k sur****. Op*n r**ir**t vuln*r**iliti*s typi**lly involv* im

6.1

Basic Information

Concerned about an active attack path?

CVE-2023-34247: @keystone-6/auth Open Redirect vulnerability

Summary

Impact

Mitigations

References

Similar Vulnerability Reports

Credits

6.1

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

CVE-2023-34247:
@keystone-6/auth Open Redirect vulnerability

Vulnerability Intelligence
Miggo AI