CVE-2020-15240: Regression in JWT Signature Validation
First published: Wed Oct 21 2020(Updated: )
### Overview Versions after and including `2.3.0` are improperly validating the JWT token signature when using the `JWTValidator.verify` method. Improper validation of the JWT token signature when not using the default Authorization Code Flow can allow an attacker to bypass authentication and authorization. ### Am I affected? You are affected by this vulnerability if all of the following conditions apply: - You are using `omniauth-auth0`. - You are using `JWTValidator.verify` method directly OR you are not authenticating using the SDK’s default Authorization Code Flow. ### How to fix that? Upgrade to version `2.4.1`. ### Will this update impact my users? The fix provided in this version will not affect your users.
Credit: security-advisories@github.com security-advisories@github.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Auth0 Omniauth-auth0 | >=2.3.0<2.4.1 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- collector/github-advisory-latest
- alias/GHSA-58r4-h6v8-jcvm
- alias/CVE-2020-15240
- collector/github-advisory
- collector/nvd-index
- collector/nvd-cve
- agent/author
- agent/weakness
- agent/type
- agent/references
- agent/softwarecombine
- collector/mitre-cve
- source/MITRE
- agent/title
- agent/last-modified-date
- agent/severity
- agent/remedy
- agent/tags
- agent/description
- agent/event
- agent/first-publish-date
- package-manager/rubygems
- vendor/auth0
- canonical/auth0 omniauth-auth0
- version/auth0 omniauth-auth0/2.3.0