Vulnerability Details : CVE-2020-15240
omniauth-auth0 (rubygems) versions >= 2.3.0 and < 2.4.1 improperly validate the JWT token signature when using the `jwt_validator.verify` method. Improper validation of the JWT token signature can allow an attacker to bypass authentication and authorization. You are affected by this vulnerability if all of the following conditions apply: 1. You are using `omniauth-auth0`. 2. You are using `JWTValidator.verify` method directly OR you are not authenticating using the SDK’s default Authorization Code Flow. The issue is patched in version 2.4.1.
Vulnerability category: BypassGain privilege
Products affected by CVE-2020-15240
- cpe:2.3:a:auth0:omniauth-auth0:*:*:*:*:*:ruby:*:*
Exploit prediction scoring system (EPSS) score for CVE-2020-15240
0.30%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 70 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2020-15240
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
5.8
|
MEDIUM | AV:N/AC:M/Au:N/C:P/I:P/A:N |
8.6
|
4.9
|
NIST | |
9.1
|
CRITICAL | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N |
3.9
|
5.2
|
NIST | |
7.4
|
HIGH | CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N |
2.2
|
5.2
|
GitHub, Inc. |
CWE ids for CVE-2020-15240
-
When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct.Assigned by: security-advisories@github.com (Secondary)
-
The product does not verify, or incorrectly verifies, the cryptographic signature for data.Assigned by:
- nvd@nist.gov (Primary)
- security-advisories@github.com (Secondary)
References for CVE-2020-15240
-
https://github.com/auth0/omniauth-auth0/security/advisories/GHSA-58r4-h6v8-jcvm
Regression in JWT Signature Validation · Advisory · auth0/omniauth-auth0 · GitHubThird Party Advisory
-
https://github.com/auth0/omniauth-auth0/commit/fd3a14f4ccdfbc515d1121d6378ff88bf55a7a7a
Verify the JWT signature · auth0/omniauth-auth0@fd3a14f · GitHubPatch;Third Party Advisory
-
https://rubygems.org/gems/omniauth-auth0
omniauth-auth0 | RubyGems.org | your community gem hostProduct;Vendor Advisory
Jump to