CVE-2020-15240

omniauth-auth0 (rubygems) versions >= 2.3.0 and < 2.4.1 improperly validate the JWT token signature when using the `jwt_validator.verify` method. Improper validation of the JWT token signature can allow an attacker to bypass authentication and authorization. You are affected by this vulnerability if all of the following conditions apply: 1. You are using `omniauth-auth0`. 2. You are using `JWTValidator.verify` method directly OR you are not authenticating using the SDKs default Authorization Code Flow. The issue is patched in version 2.4.1.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
7.4 HIGH
NETWORK
HIGH
NONE
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N
GitHub_MCNA
7.4 HIGH
NETWORK
HIGH
NONE
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N
CVEADP
---
---
Base Score
CVSS 3.x
EPSS Score
Percentile: 26%
VendorProductVersion
auth0omniauth-auth0
2.3.0 ≤
𝑥
< 2.4.1
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
ruby-omniauth-auth0
bullseye
2.0.0-1
fixed
sid
3.1.0-2
fixed
trixie
3.1.0-2
fixed
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
ruby-omniauth-auth0
lunar
dne
kinetic
not-affected
jammy
not-affected
impish
not-affected
hirsute
not-affected
groovy
not-affected
focal
not-affected
bionic
not-affected
xenial
dne
trusty
dne
Common Weakness Enumeration
References
https://github.com/auth0/omniauth-auth0/commit/fd3a14f4ccdfbc515d1121d6378ff88bf55a7a7a
https://github.com/auth0/omniauth-auth0/security/advisories/GHSA-58r4-h6v8-jcvm
https://rubygems.org/gems/omniauth-auth0
https://github.com/auth0/omniauth-auth0/commit/fd3a14f4ccdfbc515d1121d6378ff88bf55a7a7a
https://github.com/auth0/omniauth-auth0/security/advisories/GHSA-58r4-h6v8-jcvm
https://rubygems.org/gems/omniauth-auth0