6.8

CVSS Score

3.1

-

CVSS Score

Basic Information

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

GHSA-f3r2-88mq-9v4g

GHSA-f3r2-88mq-9v4g: Auth0 Symfony SDK has Improper Audience Validation via Auth0-PHP SDK

Description

In applications built with the Auth0-PHP SDK, the audience validation in access tokens is performed improperly. Without proper validation, affected applications may accept ID tokens as Access tokens.

Affected product and versions

Projects are affected if they meet the following preconditions:

Applications using the Auth0 Symfony SDK with versions between 5.0.0 and 5.5.0
Auth0 Symfony SDK uses the Auth0-PHP SDK with versions between 8.0.0 and 8.17.0.

Resolution

Upgrade Auth0/symfony to version 5.6.0 or greater.

Acknowledgement

Okta would like to thank Jafar Sadiq (iaf4r) for their discovery and responsible disclosure.

(GitHub Advisory)

Miggo Vulnerability Database

→

GHSA-f3r2-88mq-9v4g

GHSA-f3r2-88mq-9v4g:

6.8

CVSS Score

3.1

-

CVSS Score

Basic Information

Technical Details

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
auth0/symfony	composer	>= 5.0.0, <= 5.5.0	5.6.0

Technical Details

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability lies in the auth0/auth0-php package, which is a dependency of auth0/symfony. The advisory for auth0/symfony points to a patch that simply bumps the version of auth0/auth0-php. By analyzing the commits between the vulnerable version (8.17.0) and the patched version (8.18.0) of auth0/auth0-php, I identified the exact changes that address the vulnerability. The core of the fix is in the validate method of the Auth0\SDK\Token class. The patch adds logic to detect if an ID token is being used as an access token by checking for a nonce claim, which should only be present in ID tokens. If a nonce is found in a token being validated as an access token, an exception is thrown. This indicates that the validate function was the point of failure, as it previously lacked this critical validation step, allowing for improper token type acceptance.

Vulnerable functions

Auth0\SDK\Token::validate

src/Token.php

The `validate` function in the `Token` class of the `auth0/auth0-php` library did not properly distinguish between ID tokens and access tokens. An attacker could present an ID token, which would be accepted as a valid access token. This is because the function failed to check for the presence of a 'nonce' claim, which is specific to ID tokens. The patch introduces a check for the 'nonce' claim when the token type is specified as an access token, and throws an exception if it is present, thus preventing the misuse of ID tokens.

WAF Protection Rules

WAF Rule

W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.

Reasoning

*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.

6.8

-

Basic Information

Basic Information

Concerned about an active attack path?

GHSA-f3r2-88mq-9v4g: Auth0 Symfony SDK has Improper Audience Validation via Auth0-PHP SDK

Description

Affected product and versions

Resolution

Acknowledgement

GHSA-f3r2-88mq-9v4g:

6.8

-

Basic Information

Basic Information

Technical Details

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability IntelligenceMiggo AI

6.8

6.8

Basic Information

Basic Information

GHSA-f3r2-88mq-9v4g: Auth0 Symfony SDK has Improper Audience Validation via Auth0-PHP SDK

Description

Affected product and versions

Resolution

Acknowledgement

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Technical Details

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI