Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLXFwdngtZ3BxbS1nOThq
Critical severity vulnerability that affects Auth0-WCF-Service-JWT
Auth0 Auth0-WCF-Service-JWT before 1.0.4 leaks the expected JWT signature in an error message when it cannot successfully validate the JWT signature. If this error message is presented to an attacker, they can forge an arbitrary JWT token that will be accepted by the vulnerable application.
Permalink: https://github.com/advisories/GHSA-qpvx-gpqm-g98jJSON: https://advisories.ecosyste.ms/api/v1/advisories/MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLXFwdngtZ3BxbS1nOThq
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Critical
Classification: General
Published: over 5 years ago
Updated: almost 2 years ago
CVSS Score: 9.8
CVSS vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Percentage: 0.00222
EPSS Percentile: 0.6057
Identifiers: GHSA-qpvx-gpqm-g98j, CVE-2019-7644
References:
- https://nvd.nist.gov/vuln/detail/CVE-2019-7644
- https://auth0.com/docs/security/bulletins/cve-2019-7644
- https://github.com/advisories/GHSA-qpvx-gpqm-g98j
Affected Packages
nuget:Auth0-WCF-Service-JWT
Dependent packages: 0Dependent repositories: 1
Downloads: total
Affected Version Ranges: < 1.0.4
Fixed in: 1.0.4
All affected versions: 0.9.4, 0.9.5, 0.9.6, 1.0.0, 1.0.1, 1.0.2, 1.0.3
All unaffected versions: 1.0.4