CVE-2020-15240

Description

omniauth-auth0 (rubygems) versions >= 2.3.0 and < 2.4.1 improperly validate the JWT token signature when using the `jwt_validator.verify` method. Improper validation of the JWT token signature can allow an attacker to bypass authentication and authorization. You are affected by this vulnerability if all of the following conditions apply: 1. You are using `omniauth-auth0`. 2. You are using `JWTValidator.verify` method directly OR you are not authenticating using the SDK’s default Authorization Code Flow. The issue is patched in version 2.4.1.

CVSS breakdown

CVSS 3.1

Attack Vector

Network

Attack Complexity

High

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

None

Affected products

auth0 / omniauth-auth0>= 2.3.0, <2.4.1 – >= 2.3.0, <2.4.1

References

VENDOR_ADVISORYhttps://github.com/auth0/omniauth-auth0/security/advisories/GHSA-58r4-h6v8-jcvm
PATCHhttps://github.com/auth0/omniauth-auth0/commit/fd3a14f4ccdfbc515d1121d6378ff88bf55a7a7a
MISChttps://rubygems.org/gems/omniauth-auth0