CVE-2019-7644
First published: Thu Apr 11 2019(Updated: )
Auth0 Auth0-WCF-Service-JWT before 1.0.4 leaks the expected JWT signature in an error message when it cannot successfully validate the JWT signature. If this error message is presented to an attacker, they can forge an arbitrary JWT token that will be accepted by the vulnerable application.
Credit: cve@mitre.org cve@mitre.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Auth0 Auth0-WCF-Service-JWT | <1.0.4 | |
| <1.0.4 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
Frequently Asked Questions
What is the severity of CVE-2019-7644?
CVE-2019-7644 is classified as a medium severity vulnerability due to the risk of unauthorized access via forged JWT tokens.
How do I fix CVE-2019-7644?
To fix CVE-2019-7644, upgrade Auth0-WCF-Service-JWT to version 1.0.4 or later.
What does CVE-2019-7644 exploit?
CVE-2019-7644 exploits the improper error handling that reveals the expected JWT signature, allowing attackers to forge JWT tokens.
Which versions are affected by CVE-2019-7644?
CVE-2019-7644 affects all versions of Auth0-WCF-Service-JWT prior to 1.0.4.
Who is impacted by CVE-2019-7644?
Users of the Auth0-WCF-Service-JWT library version before 1.0.4 are impacted by CVE-2019-7644.
- collector/nvd-index
- agent/type
- collector/mitre-cve
- source/MITRE
- agent/severity
- agent/references
- agent/weakness
- agent/remedy
- agent/description
- agent/first-publish-date
- collector/nvd-api
- source/NVD
- agent/software-canonical-lookup
- agent/last-modified-date
- agent/author
- agent/softwarecombine
- agent/event
- agent/tags
- agent/source
- vendor/auth0
- canonical/auth0 auth0-wcf-service-jwt