CVE-2020-15240

CRITICAL Year: 2020
CVSS v3 Score
9.1
Critical
CVSS v2 Score
5.8
Medium
Weakness Type
CWE-287
View all →

Vulnerability Description

omniauth-auth0 (rubygems) versions >= 2.3.0 and < 2.4.1 improperly validate the JWT token signature when using the `jwt_validator.verify` method. Improper validation of the JWT token signature can allow an attacker to bypass authentication and authorization. You are affected by this vulnerability if all of the following conditions apply: 1. You are using `omniauth-auth0`. 2. You are using `JWTValidator.verify` method directly OR you are not authenticating using the SDK’s default Authorization Code Flow. The issue is patched in version 2.4.1.

Related Vulnerabilities

CVE-2007-1966

CRITICAL
CVSS:9.1(Critical)

Session fixation vulnerability in eXV2 CMS 2.0.4.3 and earlier allows remote attackers to hijack web sessions by setting the PHPSESSID cookie.

CWE-2872007

CVE-2008-3738

CRITICAL
CVSS:9.1(Critical)

Session fixation vulnerability in SpaceTag LacoodaST 2.1.3 and earlier allows remote attackers to hijack web sessions via unspecified vectors.

CWE-2872008

CVE-2013-4454

CRITICAL
CVSS:9.1(Critical)

WordPress Portable phpMyAdmin Plugin 1.4.1 has Multiple Security Bypass Vulnerabilities

CWE-2872013

CVE-2013-4462

CRITICAL
CVSS:9.1(Critical)

WordPress Portable phpMyAdmin Plugin has an authentication bypass vulnerability

CWE-2872013

CVE-2014-4198

CRITICAL
CVSS:9.1(Critical)

A Two-Factor Authentication Bypass Vulnerability exists in BS-Client Private Client 2.4 and 2.5 via an XML request that neglects the use of ADPswID and AD parameters, which could let a malicious user ...

CWE-2872014

CVE-2016-4432

CRITICAL
CVSS:9.1(Critical)

The AMQP 0-8, 0-9, 0-91, and 0-10 connection handling in Apache Qpid Java before 6.0.3 might allow remote attackers to bypass authentication and consequently perform actions via vectors related to con...

CWE-2872016