Privilege Escalation

Affecting auth0-js package, versions <8.0.0

high severity

Overview

auth0-js is a Client Side Javascript toolkit for Auth0 API.

Affected versions of this package are vulnerable to Privilege Escalation via the parseHash method. It did not properly validate the JWT audience, and therefore allowed tokens intended for one tenant to be used at another.

Remediation

Upgrade auth0-js to version 8.0.0 or higher.

References

Do your applications use this vulnerable package?

Credit
Cinta Infinita
CVE
CVE-2018-6873
CWE
CWE-269
Snyk ID
SNYK-JS-AUTH0JS-72626
Disclosed
09 Apr, 2018
Published
22 Nov, 2018