CVE-2020-15084

In express-jwt (NPM package) up and including version 5.3.3, the algorithms entry to be specified in the configuration is not being enforced. When algorithms is not specified in the configuration, with the combination of jwks-rsa, it may lead to authorization bypass. You are affected by this vulnerability if all of the following conditions apply: - You are using express-jwt - You do not have **algorithms** configured in your express-jwt configuration. - You are using libraries such as jwks-rsa as the **secret**. You can fix this by specifying **algorithms** in the express-jwt configuration. See linked GHSA for example. This is also fixed in version 6.0.0.

CVSS v3 9.1 CRITICAL
CVSS v2.0 4.3 MEDIUM

9.1^/10

CVSS v3 : CRITICAL

Vector :

Exploitability : 3.9 / Impact : 5.2

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact NONE

Scope UNCHANGED

4.3^/10

CVSS v2.0 : MEDIUM

Vector : AV:N/AC:M/Au:N/C:N/I:P/A:N

Exploitability : 8.6 / Impact : 2.9

Access Vector NETWORK

Access Complexity MEDIUM

Authentication NONE

Confidentiality Impact NONE

Integrity Impact PARTIAL

Availability Impact NONE

References

Link	Resource
https://github.com/auth0/express-jwt/commit/7ecab5f8f0cab5297c2b863596566eb0c019cdef	Patch Third Party Advisory
https://github.com/auth0/express-jwt/security/advisories/GHSA-6g6m-m6h5-w9gf	Third Party Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:auth0:express-jwt:*:*:*:*:*:node.js:*:*

History

21 Oct 2022, 18:00

Type	Values Removed	Values Added
CWE	~~CWE-285~~	CWE-863

Information

Published : 2020-06-30 16:15

Updated : 2024-02-04 21:00

NVD link : CVE-2020-15084

Mitre link : CVE-2020-15084

CVE.ORG link : CVE-2020-15084

JSON object : View

Products Affected

auth0

express-jwt

CWE

CWE-863

Incorrect Authorization

CWE-285

Improper Authorization

{"id": "CVE-2020-15084", "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 4.3, "accessVector": "NETWORK", "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "authentication": "NONE", "integrityImpact": "PARTIAL", "accessComplexity": "MEDIUM", "availabilityImpact": "NONE", "confidentialityImpact": "NONE"}, "acInsufInfo": false, "impactScore": 2.9, "baseSeverity": "MEDIUM", "obtainAllPrivilege": false, "exploitabilityScore": 8.6, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}], "cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.1, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 5.2, "exploitabilityScore": 3.9}, {"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 7.7, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "HIGH", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 5.8, "exploitabilityScore": 1.3}]}, "published": "2020-06-30T16:15:15.220", "references": [{"url": "https://github.com/auth0/express-jwt/commit/7ecab5f8f0cab5297c2b863596566eb0c019cdef", "tags": ["Patch", "Third Party Advisory"], "source": "security-advisories@github.com"}, {"url": "https://github.com/auth0/express-jwt/security/advisories/GHSA-6g6m-m6h5-w9gf", "tags": ["Third Party Advisory"], "source": "security-advisories@github.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-863"}]}, {"type": "Secondary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-285"}]}], "descriptions": [{"lang": "en", "value": "In express-jwt (NPM package) up and including version 5.3.3, the algorithms entry to be specified in the configuration is not being enforced. When algorithms is not specified in the configuration, with the combination of jwks-rsa, it may lead to authorization bypass. You are affected by this vulnerability if all of the following conditions apply: - You are using express-jwt - You do not have **algorithms** configured in your express-jwt configuration. - You are using libraries such as jwks-rsa as the **secret**. You can fix this by specifying **algorithms** in the express-jwt configuration. See linked GHSA for example. This is also fixed in version 6.0.0."}, {"lang": "es", "value": "En express-jwt (paquete NPM), incluyendo la versi\u00f3n 5.3.3, la entrada de algoritmos que es especificada en la configuraci\u00f3n no es aplicada. Cuando los algoritmos no son especificados en la configuraci\u00f3n, con la combinaci\u00f3n de jwks-rsa, esto puede conllevar a una omisi\u00f3n de autorizaci\u00f3n. Pueden estar afectados por esta vulnerabilidad si se aplican todas las condiciones siguientes: - Est\u00e1n usando express-jwt - No tiene **algorithms** configurados en su configuraci\u00f3n express-jwt. - Est\u00e1n usando bibliotecas como jwks-rsa como el **secret**. Pueden corregir esto especificando **algorithms** en la configuraci\u00f3n de express-jwt. Consulte GHSA vinculado por ejemplo. Esto tambi\u00e9n es corregido en la versi\u00f3n 6.0.0"}], "lastModified": "2022-10-21T18:00:47.803", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:auth0:express-jwt:*:*:*:*:*:node.js:*:*", "vulnerable": true, "matchCriteriaId": "DA2EA9DB-1370-4E0A-B443-77166B3ED3A9", "versionEndIncluding": "5.3.3"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}