Privilege Escalation
Affecting auth0-js package, versions <8.0.0
high severity
Overview
auth0-js is a Client Side Javascript toolkit for Auth0 API.
Affected versions of this package are vulnerable to Privilege Escalation via the parseHash method. It did not properly validate the JWT audience, and therefore allowed tokens intended for one tenant to be used at another.
Remediation
Upgrade auth0-js to version 8.0.0 or higher.
References
Do your applications use this vulnerable package?
- Credit
- Cinta Infinita
- CVE
- CVE-2018-6873
- CWE
- CWE-269
- Snyk ID
- SNYK-JS-AUTH0JS-72626
- Disclosed
- 09 Apr, 2018
- Published
- 22 Nov, 2018