Privilege Escalation

Affecting auth0-js package, versions <8.0.0

Overview

auth0-js is a Client Side Javascript toolkit for Auth0 API.

Affected versions of this package are vulnerable to Privilege Escalation via the parseHash method. It did not properly validate the JWT audience, and therefore allowed tokens intended for one tenant to be used at another.

Remediation

Upgrade auth0-js to version 8.0.0 or higher.

References

Do your applications use this vulnerable package?

CVSS Score

8.1
high severity
  • Attack Vector
    Network
  • Attack Complexity
    High
  • Privileges Required
    None
  • User Interaction
    None
  • Scope
    Unchanged
  • Confidentiality
    High
  • Integrity
    High
  • Availability
    High
CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Credit
Cinta Infinita
CVE
CVE-2018-6873
CWE
CWE-269
Snyk ID
SNYK-JS-AUTH0JS-72626
Disclosed
09 Apr, 2018
Published
22 Nov, 2018