Miggo Logo

CVE-2020-15240: Regression in JWT Signature Validation

7.4

CVSS Score
3.1

Basic Information

EPSS Score
0.26033%
Published
11/3/2020
Updated
5/4/2023
KEV Status
No
Technology
TechnologyRuby

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
omniauth-auth0rubygems>= 2.3.0, < 2.4.12.4.1

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from missing JWT signature validation in the verify_signature method. The pre-patch code (vulnerable versions) returns [key, alg] without calling JWT.decode to verify cryptographic validity. The critical fix in commit fd3a14f adds JWT.decode(key, true, ...) which performs actual signature verification. The test cases added in the commit (e.g., 'should fail when RS256 token has invalid signature') confirm that signature validation was previously missing. This function is directly tied to the CWE-347 (Improper Verification of Cryptographic Signature) listed in the advisory.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

### Ov*rvi*w V*rsions **t*r *n* in*lu*in* `*.*.*` *r* improp*rly v*li**tin* t** JWT tok*n si*n*tur* w**n usin* t** `JWTV*li**tor.v*ri*y` m*t*o*. Improp*r v*li**tion o* t** JWT tok*n si*n*tur* w**n not usin* t** ****ult *ut*oriz*tion *o** *low **n *l

Reasoning

T** vuln*r**ility st*ms *rom missin* JWT si*n*tur* `v*li**tion` in t** `v*ri*y_si*n*tur*` m*t*o*. T** pr*-p*t** *o** (vuln*r**l* v*rsions) r*turns [k*y, *l*] wit*out **llin* `JWT.***o**` to v*ri*y *rypto*r*p*i* v*li*ity. T** *riti**l *ix in *ommit `*