Loading HuntDB...
Hunt
Vulnerability Intelligence by wss.sh
Home Daily Briefings High Impact CVEs Recent Exploits KEV Catalog GitHub Advisories Latest Updates Security News
Sign In Sign Up

GHSA-58r4-h6v8-jcvm

GitHub Security Advisory

Regression in JWT Signature Validation

✓ GitHub Reviewed HIGH Has CVE
View on GitHub

Advisory Details

### Overview
Versions after and including `2.3.0` are improperly validating the JWT token signature when using the `JWTValidator.verify` method. Improper validation of the JWT token signature when not using the default Authorization Code Flow can allow an attacker to bypass authentication and authorization.

### Am I affected?
You are affected by this vulnerability if all of the following conditions apply:

- You are using `omniauth-auth0`.
- You are using `JWTValidator.verify` method directly OR you are not authenticating using the SDK’s default Authorization Code Flow.

### How to fix that?
Upgrade to version `2.4.1`.

### Will this update impact my users?
The fix provided in this version will not affect your users.

Affected Packages

RubyGems omniauth-auth0
Affected versions: 2.3.0 (fixed in 2.4.1)

Related CVEs

CVE-2020-15240

Key Information

GHSA ID
GHSA-58r4-h6v8-jcvm
Published
November 3, 2020 2:31 AM
Last Modified
May 16, 2023 4:04 PM
CVSS Score
7.5 /10
Primary Ecosystem
RubyGems
Primary Package
omniauth-auth0
GitHub Reviewed
✓ Yes

Dataset

Last updated: July 12, 2025 6:29 AM

Data from GitHub Advisory Database. This information is provided for research and educational purposes.