CRITICAL🇵🇱 Wersja polska

CVE-2019-7644

CVSS 9.8v3.0pub. 2019-04-11upd. 2024-11-21

Auth0 Auth0-WCF-Service-JWT before 1.0.4 leaks the expected JWT signature in an error message when it cannot successfully validate the JWT signature. If this error message is presented to an attacker, they can forge an arbitrary JWT token that will be accepted by the vulnerable application.

CVSS Vector
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
  • Auth0 Wcf Service Jwt

    APP
    Auth0
    < 1.0.4
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
CWE
References

Related vulnerabilities

CVE-2020-7947CRITICAL9.8ten sam vendor

An issue was discovered in the Login by Auth0 plugin before 4.0.0 for WordPress. It has numerous fields that c...

CVE-2015-9235CRITICAL9.8ten sam vendor

In jsonwebtoken node module before 4.2.2 it is possible for an attacker to bypass verification when a token di...

CVE-2018-6873CRITICAL9.8ten sam vendor

The Auth0 authentication service before 2017-10-15 allows privilege escalation because the JWT audience is not...

CVE-2026-42280HIGH7.1ten sam vendor

Auth0.js is a client-side JavaScript library for Auth0. From 8.11.0 to 9.32.0, under specific preconditions, t...

CVE-2026-34236HIGH8.2ten sam vendor

Auth0-PHP is a PHP SDK for Auth0 Authentication and Management APIs. From version 8.0.0 to before version 8.19...