Description
Auth0-PHP is a PHP SDK for Auth0 Authentication and Management APIs. Versions 8.0.0-BETA3 prior to 8.3.1 contain a vulnerability due to insecure deserialization of cookie data. If exploited, since SDKs process cookie content without prior authentication, a threat actor could send a specially crafted cookie containing malicious serialized data. Applications using the Auth0-PHP SDK are affected, as are applications using the Auth0/symfony, Auth0/laravel-auth0, or Auth0/wordpress SDKs, because those SDKsrely on the Auth0-PHP SDK versions from 8.0.0-BETA3 until 8.14.0. Version 8.3.1 contains a patch for the issue.
CVSS breakdown
CVSS 4.0
Attack Vector
Network
Attack Complexity
Low
Attack Requirements
None
Privileges Required
None
User Interaction
None
Confidentiality (Vulnerable System)
None
Integrity (Vulnerable System)
High
Availability (Vulnerable System)
None
Confidentiality (Subsequent System)
High
Integrity (Subsequent System)
High
Availability (Subsequent System)
High
Affected products
- auth0 / auth0-PHP>= 8.0.0-BETA3, < 8.3.1 – >= 8.0.0-BETA3, < 8.3.1
References
- VENDOR_ADVISORYhttps://github.com/auth0/auth0-PHP/security/advisories/GHSA-v9m8-9xxp-q492
- VENDOR_ADVISORYhttps://github.com/auth0/laravel-auth0/security/advisories/GHSA-c42h-56wx-h85q
- VENDOR_ADVISORYhttps://github.com/auth0/symfony/security/advisories/GHSA-98j6-67v3-mw34
- VENDOR_ADVISORYhttps://github.com/auth0/wordpress/security/advisories/GHSA-862m-5253-832r
- PATCHhttps://github.com/auth0/auth0-PHP/commit/04b1f5daa8bdfebc5e740ec5ca0fb2df1648a715