Headline
CVE-2020-15240: omniauth-auth0 | RubyGems.org | your community gem host
omniauth-auth0 (rubygems) versions >= 2.3.0 and < 2.4.1 improperly validate the JWT token signature when using the jwt_validator.verify
method. Improper validation of the JWT token signature can allow an attacker to bypass authentication and authorization. You are affected by this vulnerability if all of the following conditions apply: 1. You are using omniauth-auth0
. 2. You are using JWTValidator.verify
method directly OR you are not authenticating using the SDK’s default Authorization Code Flow. The issue is patched in version 2.4.1.
omniauth-auth0 3.0.0
Auth0 is an authentication broker that supports social identity providers as well as enterprise identity providers such as Active Directory, LDAP, Google Apps, Salesforce. OmniAuth is a library that standardizes multi-provider authentication for web applications. It was created to be powerful, flexible, and do as little as possible. omniauth-auth0 is the OmniAuth strategy for Auth0.
Development Dependencies (1):
- bundler >= 0
Owners:
Pushed by:
Authors:
- Auth0
SHA 256 checksum:
471081873d74caeeb8bf30ff4669bbc9d0b025ed178975cee81b3d101428c585
Total downloads 11,923,368****For this version 120,371
**Gemfile:
= Copy to clipboard Copied!
****install:
=
****License:
MIT
****Required Ruby Version: >= 0****Links:**