CVE-2020-15240

NameCVE-2020-15240
Descriptionomniauth-auth0 (rubygems) versions >= 2.3.0 and < 2.4.1 improperly validate the JWT token signature when using the `jwt_validator.verify` method. Improper validation of the JWT token signature can allow an attacker to bypass authentication and authorization. You are affected by this vulnerability if all of the following conditions apply: 1. You are using `omniauth-auth0`. 2. You are using `JWTValidator.verify` method directly OR you are not authenticating using the SDK’s default Authorization Code Flow. The issue is patched in version 2.4.1.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
ruby-omniauth-auth0 (PTS)buster, bullseye2.0.0-1fixed
sid, trixie3.1.0-2fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
ruby-omniauth-auth0source(unstable)(not affected)

Notes

- ruby-omniauth-auth0 <not-affected> (Introduced in 2.3.0)
https://github.com/auth0/omniauth-auth0/security/advisories/GHSA-58r4-h6v8-jcvm
Search for package or bug name: Reporting problems