7.4

CVSS Score

3.1

Basic Information

CVE ID

CVE-2020-15240

GHSA ID

GHSA-58r4-h6v8-jcvm

EPSS Score

0.26033%

CWE

CWE-287

Published

11/3/2020

Updated

5/4/2023

KEV Status

Technology

Ruby

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2020-15240

CVE-2020-15240: Regression in JWT Signature Validation

Overview

Versions after and including 2.3.0 are improperly validating the JWT token signature when using the JWTValidator.verify method. Improper validation of the JWT token signature when not using the default Authorization Code Flow can allow an attacker to bypass authentication and authorization.

Am I affected?

You are affected by this vulnerability if all of the following conditions apply:

You are using omniauth-auth0.
You are using JWTValidator.verify method directly OR you are not authenticating using the SDK’s default Authorization Code Flow.

How to fix that?

Upgrade to version 2.4.1.

Will this update impact my users?

The fix provided in this version will not affect your users.

(GitHub Advisory)

7.4

CVSS Score

3.1

Basic Information

CVE ID

CVE-2020-15240

GHSA ID

GHSA-58r4-h6v8-jcvm

EPSS Score

0.26033%

CWE

CWE-287

Published

11/3/2020

Updated

5/4/2023

KEV Status

Technology

Ruby

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
omniauth-auth0	rubygems	>= 2.3.0, < 2.4.1	2.4.1

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from missing JWT signature validation in the verify_signature method. The pre-patch code (vulnerable versions) returns [key, alg] without calling JWT.decode to verify cryptographic validity. The critical fix in commit fd3a14f adds JWT.decode(key, true, ...) which performs actual signature verification. The test cases added in the commit (e.g., 'should fail when RS256 token has invalid signature') confirm that signature validation was previously missing. This function is directly tied to the CWE-347 (Improper Verification of Cryptographic Signature) listed in the advisory.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

### Ov*rvi*w V*rsions **t*r *n* in*lu*in* `*.*.*` *r* improp*rly v*li**tin* t** JWT tok*n si*n*tur* w**n usin* t** `JWTV*li**tor.v*ri*y` m*t*o*. Improp*r v*li**tion o* t** JWT tok*n si*n*tur* w**n not usin* t** ****ult *ut*oriz*tion *o** *low **n *l

Reasoning

T** vuln*r**ility st*ms *rom missin* JWT si*n*tur* `v*li**tion` in t** `v*ri*y_si*n*tur*` m*t*o*. T** pr*-p*t** *o** (vuln*r**l* v*rsions) r*turns [k*y, *l*] wit*out **llin* `JWT.***o**` to v*ri*y *rypto*r*p*i* v*li*ity. T** *riti**l *ix in *ommit `*

7.4

Basic Information

Concerned about an active attack path?

CVE-2020-15240: Regression in JWT Signature Validation

Overview

Am I affected?

How to fix that?

Will this update impact my users?

7.4

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI