Lucene search

GitHub Advisory DatabaseGHSA-WPQ7-Q8J4-72JG

HistoryMar 07, 2018 - 10:22 p.m.

Auth0-js bypasses CSRF checks

2018-03-0722:22:24

CWE-352

GitHub Advisory Database

github.com

6.8 Medium

CVSS2

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:M/Au:N/C:P/I:P/A:P

8.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

0.001 Low

EPSS

Percentile

31.7%

JSON

The Auth0.js library has a vulnerability affecting versions below 9.3 that allows an attacker to bypass the CSRF check from the state parameter if it’s missing from the authorization response, leaving the client vulnerable to CSRF attacks.

Affected configurations

Vulners

Node

auth0auth0.jsRange<9.3.0

CPENameOperatorVersion
auth0-jslt9.3.0

CPE	Name	Operator	Version
	auth0-js	lt	9.3.0

References

auth0.com/docs/security/bulletins/cve-2018-7307

github.com/advisories/GHSA-wpq7-q8j4-72jg

nvd.nist.gov/vuln/detail/CVE-2018-7307

6.8 Medium

CVSS2

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:M/Au:N/C:P/I:P/A:P

8.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

0.001 Low

EPSS

Percentile

31.7%

JSON

Related for GHSA-WPQ7-Q8J4-72JG