Privilege Escalation
Affecting auth0-js package, versions <8.0.0
Overview
auth0-js is a Client Side Javascript toolkit for Auth0 API.
Affected versions of this package are vulnerable to Privilege Escalation via the parseHash
method. It did not properly validate the JWT
audience, and therefore allowed tokens intended for one tenant to be used at another.
Remediation
Upgrade auth0-js
to version 8.0.0 or higher.
References
Do your applications use this vulnerable package?
CVSS Score
8.1
high severity
-
Attack VectorNetwork
-
Attack ComplexityHigh
-
Privileges RequiredNone
-
User InteractionNone
-
ScopeUnchanged
-
ConfidentialityHigh
-
IntegrityHigh
-
AvailabilityHigh
- Credit
- Cinta Infinita
- CVE
- CVE-2018-6873
- CWE
- CWE-269
- Snyk ID
- SNYK-JS-AUTH0JS-72626
- Disclosed
- 09 Apr, 2018
- Published
- 22 Nov, 2018