Critical severity vulnerability that affects Auth0-WCF-Service-JWT · CVE-2019-7644 · GitHub Advisory Database · GitHub

Critical severity vulnerability that affects Auth0-WCF-Service-JWT

Critical severity GitHub Reviewed Published Apr 18, 2019 to the GitHub Advisory Database • Updated Jan 9, 2023

Package

Auth0-WCF-Service-JWT (NuGet)

Affected versions

< 1.0.4

Patched versions

1.0.4

Description

Auth0 Auth0-WCF-Service-JWT before 1.0.4 leaks the expected JWT signature in an error message when it cannot successfully validate the JWT signature. If this error message is presented to an attacker, they can forge an arbitrary JWT token that will be accepted by the vulnerable application.

References

Published to the GitHub Advisory Database Apr 18, 2019

Reviewed Jun 16, 2020

Last updated Jan 9, 2023

Severity

Critical

9.8

/ 10

CVSS base metrics

Attack vector

Network

Attack complexity

Low

Privileges required

None

User interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H