Vulnerability Description
omniauth-auth0 (rubygems) versions >= 2.3.0 and < 2.4.1 improperly validate the JWT token signature when using the `jwt_validator.verify` method. Improper validation of the JWT token signature can allow an attacker to bypass authentication and authorization. You are affected by this vulnerability if all of the following conditions apply: 1. You are using `omniauth-auth0`. 2. You are using `JWTValidator.verify` method directly OR you are not authenticating using the SDK’s default Authorization Code Flow. The issue is patched in version 2.4.1.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Auth0 | Omniauth-Auth0 | >= 2.3.0, < 2.4.1 |
Related Weaknesses (CWE)
References
- https://github.com/auth0/omniauth-auth0/commit/fd3a14f4ccdfbc515d1121d6378ff88bfPatchThird Party Advisory
- https://github.com/auth0/omniauth-auth0/security/advisories/GHSA-58r4-h6v8-jcvmThird Party Advisory
- https://rubygems.org/gems/omniauth-auth0ProductVendor Advisory
- https://github.com/auth0/omniauth-auth0/commit/fd3a14f4ccdfbc515d1121d6378ff88bfPatchThird Party Advisory
- https://github.com/auth0/omniauth-auth0/security/advisories/GHSA-58r4-h6v8-jcvmThird Party Advisory
- https://rubygems.org/gems/omniauth-auth0ProductVendor Advisory
FAQ
What is CVE-2020-15240?
CVE-2020-15240 is a vulnerability with a CVSS score of 7.4 (HIGH). omniauth-auth0 (rubygems) versions >= 2.3.0 and < 2.4.1 improperly validate the JWT token signature when using the `jwt_validator.verify` method. Improper validation of the JWT token signature can all...
How severe is CVE-2020-15240?
CVE-2020-15240 has been rated HIGH with a CVSS base score of 7.4/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2020-15240?
Check the references section above for vendor advisories and patch information. Affected products include: Auth0 Omniauth-Auth0.