CVE-2024-22206

Summary

Clerk helps developers build user management. Unauthorized access or privilege escalation due to a logic flaw in auth() in the App Router or getAuth() in the Pages Router. This vulnerability was patched in version 4.29.3.

Affected Software

VendorProductVersion RangeStatus
clerkjavascript>= 4.7.0, < 4.29.3affected

Weaknesses

  • CWE-284: CWE-284: Improper Access Control
  • CWE-287: CWE-287: Improper Authentication
  • CWE-639: CWE-639: Authorization Bypass Through User-Controlled Key

ADP Enrichment

CVE Program Container

Additional References

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: total

References