Mend.io Vulnerability Database

What is a CVE vulnerability ID? icon What is a WS vulnerability ID? icon What is an MSC vulnerability ID? icon
New vulnerability? Tell us about it!
icon

We found results for “

CVE-2020-15240

Good to know:

icon

Date: October 21, 2020

omniauth-auth0 (rubygems) versions >= 2.3.0 and < 2.4.1 improperly validate the JWT token signature when using the "jwt_validator.verify" method. Improper validation of the JWT token signature can allow an attacker to bypass authentication and authorization. You are affected by this vulnerability if all of the following conditions apply: 1. You are using "omniauth-auth0". 2. You are using "JWTValidator.verify" method directly OR you are not authenticating using the SDK’s default Authorization Code Flow. The issue is patched in version 2.4.1.

Language: Ruby

Severity Score

Related Resources (7)

https://nvd.nist.gov/vuln/detail/CVE-2020-15240
https://github.com/auth0/omniauth-auth0
https://github.com/auth0/omniauth-auth0/commit/fd3a14f4ccdfbc515d1121d6378ff88bf55a7a7a
https://github.com/rubysec/ruby-advisory-db/blob/master/gems/omniauth-auth0/CVE-2020-15240.yml
https://rubygems.org/gems/omniauth-auth0
https://github.com/auth0/omniauth-auth0/security/advisories/GHSA-58r4-h6v8-jcvm
https://www.mend.io/vulnerability-database/CVE-2020-15240

Severity Score

Weakness Type (CWE)

Improper Authentication

CWE-287

Improper Verification of Cryptographic Signature

CWE-347

Top Fix

icon

Upgrade Version

Upgrade to version omniauth-auth0 - 2.4.1

Learn More

CVSS v3.1

Base Score:
Attack Vector (AV): NETWORK
Attack Complexity (AC): HIGH
Privileges Required (PR): NONE
User Interaction (UI): NONE
Scope (S): UNCHANGED
Confidentiality (C): HIGH
Integrity (I): HIGH
Availability (A): NONE

CVSS v2

Base Score:
Access Vector (AV): NETWORK
Access Complexity (AC): MEDIUM
Authentication (AU): NONE
Confidentiality (C): PARTIAL
Integrity (I): PARTIAL
Availability (A): NONE
Additional information:

Do you need more information?

Contact Us