CVE-2019-7644 — CRITICAL (9.8)

Q: How severe is CVE-2019-7644?

CVE-2019-7644 has been rated CRITICAL with a CVSS base score of 9.8/10. This is considered a critical vulnerability requiring immediate attention.

Q: Is there a patch for CVE-2019-7644?

Check the references section above for vendor advisories and patch information. Affected products include: Auth0 Auth0-Wcf-Service-Jwt.

Vulnerability Description

Auth0 Auth0-WCF-Service-JWT before 1.0.4 leaks the expected JWT signature in an error message when it cannot successfully validate the JWT signature. If this error message is presented to an attacker, they can forge an arbitrary JWT token that will be accepted by the vulnerable application.

CVSS Score

9.8

CRITICAL

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality

HIGH

Integrity

HIGH

Availability

HIGH

Affected Products

Vendor	Product	Versions
Auth0	Auth0-Wcf-Service-Jwt	< 1.0.4

Related Weaknesses (CWE)

CWE-209

References

https://auth0.com/docs/security/bulletins/cve-2019-7644PatchVendor Advisory
https://auth0.com/docs/security/bulletins/cve-2019-7644PatchVendor Advisory

FAQ

What is CVE-2019-7644?

CVE-2019-7644 is a vulnerability with a CVSS score of 9.8 (CRITICAL). Auth0 Auth0-WCF-Service-JWT before 1.0.4 leaks the expected JWT signature in an error message when it cannot successfully validate the JWT signature. If this error message is presented to an attacker,...

How severe is CVE-2019-7644?

CVE-2019-7644 has been rated CRITICAL with a CVSS base score of 9.8/10. This is considered a critical vulnerability requiring immediate attention.

Is there a patch for CVE-2019-7644?

Check the references section above for vendor advisories and patch information. Affected products include: Auth0 Auth0-Wcf-Service-Jwt.