Ce mail provient de l'extérieur, restons vigilants ===================================================================== CERT-Renater Note d'Information No. 2026/VULN354 _____________________________________________________________________ DATE : 03/04/2026 HARDWARE PLATFORM(S): / OPERATING SYSTEM(S): Systems running auth0/symfony (Composer), auth0/wordpress (Composer), auth0/login (Composer). ===================================================================== https://github.com/auth0/symfony/security/advisories/GHSA-ghc5-95c2-vwcv https://github.com/auth0/wordpress/security/advisories/GHSA-vfpx-q664-h93m https://github.com/auth0/laravel-auth0/security/advisories/GHSA-fmg6-246m-9g2v _____________________________________________________________________ Insufficient Entropy in Cookie Encryption in Auth0 Symfony SDK High jennyyang-okta published GHSA-ghc5-95c2-vwcv Apr 1, 2026 Package auth0/symfony (Composer) Affected versions >= 5.0.0 and <= 5.7.0 Patched versions 5.8.0 Description Impact In applications built with the Auth0 PHP SDK, cookies are encrypted with insufficient entropy, which may result in threat actors brute-forcing the encryption key and forging session cookies. Am I Affected? You are affected if you meet the following preconditions: Applications using the Auth0 Symfony SDK, versions between 5.0.0 and 5.7.0 Auth0 Symfony SDK using the Auth0-PHP SDK versions between 8.0.0 to 8.18.0. Resolution Upgrade Auth0/symfony-auth0 to version 5.8.0 or greater. Severity High 8.2/ 10 CVSS v3 base metrics Attack vector Network Attack complexity High Privileges required Low User interaction None Scope Changed Confidentiality High Integrity High Availability None CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:N CVE ID No known CVE Weaknesses Weakness CWE-331 _____________________________________________________________________ Insufficient Entropy in Cookie Encryption in Auth0 WordPress Plugin High jennyyang-okta published GHSA-vfpx-q664-h93m Apr 1, 2026 Package auth0/wordpress (Composer) Affected versions >=5.0.0-BETA0 and <=5.5.0 Patched versions 5.6.0 Description Impact In applications built with the Auth0 PHP SDK, cookies are encrypted with insufficient entropy, which may result in threat actors brute-forcing the encryption key and forging session cookies. Am I Affected? You are affected if you meet the following preconditions: Applications using Auth0 WordPress Plugin, versions between 5.0.0-BETA0 and 5.5.0 Auth0 WordPress plugin using the Auth0-PHP SDK versions between 8.0.0 to 8.18.0. Resolution Upgrade Auth0/wordpress to version 5.6.0 or greater. Severity High 8.2/ 10 CVSS v3 base metrics Attack vector Network Attack complexity High Privileges required Low User interaction None Scope Changed Confidentiality High Integrity High Availability None CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:N CVE ID No known CVE Weaknesses Weakness CWE-331 _____________________________________________________________________ Insufficient Entropy in Cookie Encryption in Auth0 laravel-auth0 SDK High jennyyang-okta published GHSA-fmg6-246m-9g2v Apr 1, 2026 Package auth0/login (Composer) Affected versions >=7.0.0 and <= 7.20.0 Patched versions 7.21.0 Description Impact In applications built with the Auth0 PHP SDK, cookies are encrypted with insufficient entropy, which may result in threat actors brute-forcing the encryption key and forging session cookies. Am I Affected? You are affected if you meet the following preconditions: Applications using laravel-auth0 SDK, versions between 7.0.0 and 7.20.0 Laravel-auth0 SDK using the Auth0-PHP SDK versions between 8.0.0 to 8.18.0. Resolution Upgrade Auth0/laravel-auth0 to version 7.21.0 or greater. Severity High 8.2/ 10 CVSS v3 base metrics Attack vector Network Attack complexity High Privileges required Low User interaction None Scope Changed Confidentiality High Integrity High Availability None CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:N CVE ID No known CVE Weaknesses Weakness CWE-331 ========================================================= + CERT-RENATER | tel : 01-53-94-20-44 + + 23/25 Rue Daviel | fax : 01-53-94-20-41 + + 75013 Paris | email:cert@support.renater.fr + =========================================================