CVE-2020-15084

Source
https://nvd.nist.gov/vuln/detail/CVE-2020-15084
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2020-15084.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2020-15084
Aliases
Related
Published
2020-06-30T16:15:15Z
Modified
2025-01-15T01:42:38.471958Z
Severity
  • 9.1 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N CVSS Calculator
Summary
[none]
Details

In express-jwt (NPM package) up and including version 5.3.3, the algorithms entry to be specified in the configuration is not being enforced. When algorithms is not specified in the configuration, with the combination of jwks-rsa, it may lead to authorization bypass. You are affected by this vulnerability if all of the following conditions apply: - You are using express-jwt - You do not have algorithms configured in your express-jwt configuration. - You are using libraries such as jwks-rsa as the secret. You can fix this by specifying algorithms in the express-jwt configuration. See linked GHSA for example. This is also fixed in version 6.0.0.

References

Affected packages

Git / github.com/auth0/express-jwt

Affected ranges

Type
GIT
Repo
https://github.com/auth0/express-jwt
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
Fixed

Affected versions

v0.*

v0.1.3
v0.2.3
v0.3.0
v0.3.1
v0.3.2
v0.4.0
v0.5.0
v0.6.0
v0.6.1
v0.6.2

v1.*

v1.0.0
v1.1.0
v1.2.0
v1.3.0
v1.3.1
v1.4.0

v2.*

v2.0.0
v2.0.1
v2.1.0

v3.*

v3.0.0
v3.0.1
v3.1.0
v3.2.0
v3.3.0
v3.4.0

v5.*

v5.0.0
v5.1.0
v5.2.0
v5.3.0
v5.3.1
v5.3.2
v5.3.3