CVE-2018-15121 — HIGH (8.8)

Vulnerability Description

An issue was discovered in Auth0 auth0-aspnet and auth0-aspnet-owin. Affected packages do not use or validate the state parameter of the OAuth 2.0 and OpenID Connect protocols. This leaves applications vulnerable to CSRF attacks during authentication and authorization operations.

CVSS Score

8.8

HIGH

CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality

HIGH

Integrity

HIGH

Availability

HIGH

Affected Products

Vendor	Product	Versions
Auth0	Aspnet	-
Auth0	Aspnet-Owin	-

Related Weaknesses (CWE)

CWE-352

References

https://auth0.com/docs/security/bulletins/cve-2018-15121Vendor Advisory
https://auth0.com/docs/security/bulletins/cve-2018-15121Vendor Advisory

FAQ

What is CVE-2018-15121?

CVE-2018-15121 is a vulnerability with a CVSS score of 8.8 (HIGH). An issue was discovered in Auth0 auth0-aspnet and auth0-aspnet-owin. Affected packages do not use or validate the state parameter of the OAuth 2.0 and OpenID Connect protocols. This leaves application...

How severe is CVE-2018-15121?

CVE-2018-15121 has been rated HIGH with a CVSS base score of 8.8/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2018-15121?

Check the references section above for vendor advisories and patch information. Affected products include: Auth0 Aspnet, Auth0 Aspnet-Owin.