Moderate severity vulnerability that affects auth0-js
2018-11-06T23:15:13
ID GHSA-WV26-RJ8C-4R33 Type github Reporter GitHub Advisory Database Modified 2019-07-03T21:02:05
Description
CSRF exists in the Auth0 authentication service through 14591 if the Legacy Lock API flag is enabled.
{"id": "GHSA-WV26-RJ8C-4R33", "bulletinFamily": "software", "title": "Moderate severity vulnerability that affects auth0-js", "description": "CSRF exists in the Auth0 authentication service through 14591 if the Legacy Lock API flag is enabled.", "published": "2018-11-06T23:15:13", "modified": "2019-07-03T21:02:05", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}, "href": "https://github.com/advisories/GHSA-wv26-rj8c-4r33", "reporter": "GitHub Advisory Database", "references": ["https://github.com/advisories/GHSA-wv26-rj8c-4r33", "https://nvd.nist.gov/vuln/detail/CVE-2018-6874"], "cvelist": ["CVE-2018-6874"], "type": "github", "lastseen": "2020-03-10T23:26:07", "edition": 2, "viewCount": 1, "enchantments": {"dependencies": {"references": [{"type": "cve", "idList": ["CVE-2018-6874"]}, {"type": "thn", "idList": ["THN:00180D45F9D5175BE38C6A5629CD9B8E"]}, {"type": "github", "idList": ["GHSA-WV26-RJ8C-4R33"]}], "modified": "2020-03-10T23:26:07", "rev": 2}, "score": {"value": 5.9, "vector": "NONE", "modified": "2020-03-10T23:26:07", "rev": 2}, "vulnersScore": 5.9}, "affectedSoftware": [{"name": "auth0-js", "operator": "lt", "version": "9.0.0"}], "scheme": null, "immutableFields": []}
{"cve": [{"lastseen": "2021-04-23T00:24:30", "description": "CSRF exists in the Auth0 authentication service through 14591 if the Legacy Lock API flag is enabled.", "edition": 7, "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 8.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "userInteraction": "REQUIRED", "version": "3.0"}, "impactScore": 5.9}, "published": "2018-04-04T17:29:00", "title": "CVE-2018-6874", "type": "cve", "cwe": ["CWE-352"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-6874"], "modified": "2018-05-15T18:08:00", "cpe": ["cpe:/a:auth0:auth0.js:8.12.1"], "id": "CVE-2018-6874", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-6874", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:a:auth0:auth0.js:8.12.1:*:*:*:*:*:*:*"]}], "thn": [{"lastseen": "2018-04-09T21:51:58", "bulletinFamily": "info", "cvelist": ["CVE-2018-6874", "CVE-2018-6873"], "description": "[](<https://1.bp.blogspot.com/-c1hjF3SF8_k/WsiJ67GBlyI/AAAAAAAAwIY/J4Tp5y0XFV8usA2szm5NCXTQ6VU1brvdgCLcBGAs/s1600-e20/auth0-authentication-vulnerability.png>)\n\nA critical authentication bypass vulnerability has been discovered in one of the biggest identity-as-a-service platform** Auth0** that could have allowed a malicious attacker to access any portal or application, which are using Auth0 service for authentication. \n \nAuth0 offers token-based authentication solutions for a number of platforms including the ability to integrate social media authentication into an application. \n \nWith over 2000 enterprise customers and managing 42 million logins every day and billions of login per month, Auth0 is one of the biggest identity platforms. \n \nWhile pentesting an application back in September 2017, researchers from security firm Cinta Infinita [discovered](<https://medium.com/@cintainfinita/knocking-down-the-big-door-8e2177f76ea5>) a flaw ([CVE-2018-6873](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-6873>)) in Auth0's **Legacy Lock API**, which resides due to improper validation of the JSON Web Tokens (JWT) audience parameter. \n \nResearchers successfully exploited this issue to bypass login authentication using a simple cross-site request forgery (CSRF/XSRF) attack against the applications running over Auth0 authentication. \n \nAuth0's CSRF vulnerability ([CVE-2018-6874](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-6874>)) allows an attacker to reuse a valid signed JWT generated for a separate account to access the targeted victim's account. \n \nFor this, all an attacker needs is the victim's user ID or email address, which can be obtained using simple social engineering tricks. \n \n\n\n### Video Demonstration of the Attack\n\nAccording to the researchers, the attack is reproducible against many organisations, \"as long as we know the expected fields and values for the JWT. There is no need of social engineering in most of the cases we saw. Authentication for applications that use an email address or an incremental integer for user identification would be trivially bypassed.\" \n \nThe security firm reported the vulnerability to the Auth0 Security Team in October 2017. The company acted very fast and addressed the weakness in less than 4 hours. \n \nHowever, since the vulnerable SDK and supported libraries of Auth0 have been implemented on the client side, Auth0 took almost six months to contact each of their customers and help them fix this vulnerability, before publicly disclosing this issue. \n\n\n> \"Unlike the fix for the special case discovered by Cinta Infinita, this issue could not be solved without forcing our customers to upgrade the libraries/SDKs on their end, a much more significant undertaking,\" the Auth0 team said in its [advisory](<https://auth0.com/blog/managing-and-mitigating-security-vulnerabilities-at-auth0/>).\n\nThe company has mitigated the vulnerabilities by extensively rewriting the affected libraries and releasing new versions of its SDKs (auth0.js 9 and Lock 11). \n \nCinta Infinita also waited six months before publicly disclosing the vulnerability, giving the Auth0 team enough time to update all their Private SaaS Appliances (on-premises) as well. \n \nThe security firm has now released a proof-of-concept (PoC) video, demonstrating how they obtained the victim's user id and bypass password authentication when logging into Auth0\u2019s Management Dashboard by forging an authentication token.\n", "modified": "2018-04-09T18:01:41", "published": "2018-04-06T22:08:00", "id": "THN:00180D45F9D5175BE38C6A5629CD9B8E", "href": "https://thehackernews.com/2018/04/auth0-authentication-bypass.html", "type": "thn", "title": "Authentication Bypass Vulnerability Found in Auth0 Identity Platform", "cvss": {"score": 0.0, "vector": "NONE"}}]}
