U.S. flag   An official website of the United States government
Dot gov

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Https

Secure .gov websites use HTTPS
A lock (Dot gov) or https:// means you've safely connected to the .gov website. Share sensitive information only on official, secure websites.

National Vulnerability Database

National Vulnerability Database

NVD

National Vulnerability Database
  1. VulnerabilitiesSearch And Statistics

Search Results (Refine Search)

Search Parameters:
  • Results Type: Overview
  • Keyword (text search): JWT
  • Search Type: Search All
  • CPE Name Search: false
  • CPE Vendor: cpe:/:auth0
There are 6 matching records.
Displaying matches 1 through 6.
Vuln ID Summary CVSS Severity
CVE-2022-23541

jsonwebtoken is an implementation of JSON Web Tokens. Versions `<= 8.5.1` of `jsonwebtoken` library can be misconfigured so that passing a poorly implemented key retrieval function referring to the `secretOrPublicKey` argument from the readme link will result in incorrect verification of tokens. There is a possibility of using a different algorithm and key combination in verification, other than the one that was used to sign the tokens. Specifically, tokens signed with an asymmetric public key could be verified with a symmetric HS256 algorithm. This can lead to successful validation of forged tokens. If your application is supporting usage of both symmetric key and asymmetric key in jwt.verify() implementation with the same key retrieval function. This issue has been patched, please update to version 9.0.0.

Published: December 22, 2022; 1:15:09 PM -0500 		V3.1: 6.3 MEDIUM
 V2.0:(not available)
CVE-2020-15240

omniauth-auth0 (rubygems) versions >= 2.3.0 and < 2.4.1 improperly validate the JWT token signature when using the `jwt_validator.verify` method. Improper validation of the JWT token signature can allow an attacker to bypass authentication and authorization. You are affected by this vulnerability if all of the following conditions apply: 1. You are using `omniauth-auth0`. 2. You are using `JWTValidator.verify` method directly OR you are not authenticating using the SDK’s default Authorization Code Flow. The issue is patched in version 2.4.1.

Published: October 21, 2020; 2:15:12 PM -0400 		V3.1: 9.1 CRITICAL
 V2.0: 5.8 MEDIUM
CVE-2019-13483

Auth0 Passport-SharePoint before 0.4.0 does not validate the JWT signature of an Access Token before processing. This allows attackers to forge tokens and bypass authentication and authorization mechanisms.

Published: July 25, 2019; 4:15:11 PM -0400 		V3.0: 7.3 HIGH
 V2.0: 7.5 HIGH
CVE-2019-7644

Auth0 Auth0-WCF-Service-JWT before 1.0.4 leaks the expected JWT signature in an error message when it cannot successfully validate the JWT signature. If this error message is presented to an attacker, they can forge an arbitrary JWT token that will be accepted by the vulnerable application.

Published: April 11, 2019; 4:29:00 PM -0400 		V3.0: 9.8 CRITICAL
 V2.0: 7.5 HIGH
CVE-2018-11537

Auth0 angular-jwt before 0.1.10 treats whiteListedDomains entries as regular expressions, which allows remote attackers with knowledge of the jwtInterceptorProvider.whiteListedDomains setting to bypass the domain whitelist filter via a crafted domain.

Published: June 19, 2018; 3:29:00 PM -0400 		V3.0: 6.5 MEDIUM
 V2.0: 4.3 MEDIUM
CVE-2018-6873

The Auth0 authentication service before 2017-10-15 allows privilege escalation because the JWT audience is not validated.

Published: April 04, 2018; 1:29:01 PM -0400 		V3.0: 9.8 CRITICAL
 V2.0: 7.5 HIGH