logo

Database

Insufficient data authenticity validation In auth0/symfony

Description

Auth0 Symfony SDK has Improper Audience Validation via Auth0-PHP SDK

Description

In applications built with the Auth0-PHP SDK, the audience validation in access tokens is performed improperly. Without proper validation, affected applications may accept ID tokens as Access tokens.

Affected product and versions

Projects are affected if they meet the following preconditions:

    Applications using the Auth0 Symfony SDK with versions between 5.0.0 and 5.5.0

    Auth0 Symfony SDK uses the Auth0-PHP SDK with versions between 8.0.0 and 8.17.0.

Resolution

Upgrade Auth0/symfony to version 5.6.0 or greater.

Acknowledgement

Okta would like to thank Jafar Sadiq (iaf4r) for their discovery and responsible disclosure.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem
Package
Affected version
Patched versions

Aliases

1. GHSA-f3r2-88mq-9v4g2. GCVE-GHSA-f3r2-88mq-9v4g

References

1. https://github.com/auth0/symfony/security/advisories/GHSA-f3r2-88mq-9v4g2. https://github.com/auth0/symfony/commit/0103d6f8dcef6996653fad1f823d1c167f4724793. https://github.com/auth0/symfony/releases/tag/5.6.0

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.