Publish Advisories

advisory-database[bot] · advisory-database[bot] · commit 42cb8ee2a10c · 2025-12-17T20:57:20.000Z
GHSA-7hh9-gp72-wh7h GHSA-f3r2-88mq-9v4g
diff --git a/advisories/github-reviewed/2025/12/GHSA-7hh9-gp72-wh7h/GHSA-7hh9-gp72-wh7h.json b/advisories/github-reviewed/2025/12/GHSA-7hh9-gp72-wh7h/GHSA-7hh9-gp72-wh7h.json
@@ -0,0 +1,64 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-7hh9-gp72-wh7h",
+  "modified": "2025-12-17T20:55:50Z",
+  "published": "2025-12-17T20:55:50Z",
+  "aliases": [],
+  "summary": "Auth0 Laravel SDK has Improper Audience Validation via Auth0-PHP SDK dependency",
+  "details": "### Description\nIn applications built with the Auth0-PHP SDK, the audience validation in access tokens is performed improperly. Without proper validation, affected applications may accept ID tokens as Access tokens.\n\n### Affected product and versions\nUsers are affected if they meet the following preconditions:\n\n- Applications using the Auth0 laravel-auth0 SDK with versions between 7.0.0 and 7.19.0,\n- Auth0 laravel-auth0 SDK uses the Auth0-PHP SDK with versions between 8.0.0 and 8.17.0.\n\n### Resolution\nUpgrade Auth0/laravel-auth0 to version 7.20.0 or greater.\n\n### Acknowledgement\nOkta would like to thank Jafar Sadiq (iaf4r) for their discovery and responsible disclosure.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N"
+    }
+  ],
+  "affected": [
+    {
+      "package": {
+        "ecosystem": "Packagist",
+        "name": "auth0/login"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "7.0.0"
+            },
+            {
+              "fixed": "7.20.0"
+            }
+          ]
+        }
+      ]
+    }
+  ],
+  "references": [
+    {
+      "type": "WEB",
+      "url": "https://github.com/auth0/laravel-auth0/security/advisories/GHSA-7hh9-gp72-wh7h"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/auth0/laravel-auth0/commit/a1c3344dc0e5a36e8f56c8cfc535728d3d7558f3"
+    },
+    {
+      "type": "PACKAGE",
+      "url": "https://github.com/auth0/laravel-auth0"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/auth0/laravel-auth0/releases/tag/7.20.0"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-1395",
+      "CWE-863"
+    ],
+    "severity": "MODERATE",
+    "github_reviewed": true,
+    "github_reviewed_at": "2025-12-17T20:55:50Z",
+    "nvd_published_at": null
+  }
+}
diff --git a/advisories/github-reviewed/2025/12/GHSA-f3r2-88mq-9v4g/GHSA-f3r2-88mq-9v4g.json b/advisories/github-reviewed/2025/12/GHSA-f3r2-88mq-9v4g/GHSA-f3r2-88mq-9v4g.json
@@ -0,0 +1,68 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-f3r2-88mq-9v4g",
+  "modified": "2025-12-17T20:56:37Z",
+  "published": "2025-12-17T20:56:37Z",
+  "aliases": [],
+  "summary": "Auth0 Symfony SDK has Improper Audience Validation via Auth0-PHP SDK",
+  "details": "### Description\nIn applications built with the Auth0-PHP SDK, the audience validation in access tokens is performed improperly. Without proper validation, affected applications may accept ID tokens as Access tokens.\n\n### Affected product and versions\nProjects are affected if they meet the following preconditions:\n\n- Applications using the Auth0 Symfony SDK with versions between 5.0.0 and 5.5.0\n- Auth0 Symfony SDK uses the Auth0-PHP SDK with versions between 8.0.0 and 8.17.0.\n\n### Resolution\nUpgrade Auth0/symfony to version 5.6.0 or greater.\n\n### Acknowledgement\nOkta would like to thank Jafar Sadiq (iaf4r) for their discovery and responsible disclosure.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N"
+    }
+  ],
+  "affected": [
+    {
+      "package": {
+        "ecosystem": "Packagist",
+        "name": "auth0/symfony"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "5.0.0"
+            },
+            {
+              "fixed": "5.6.0"
+            }
+          ]
+        }
+      ],
+      "database_specific": {
+        "last_known_affected_version_range": "<= 5.5.0"
+      }
+    }
+  ],
+  "references": [
+    {
+      "type": "WEB",
+      "url": "https://github.com/auth0/symfony/security/advisories/GHSA-f3r2-88mq-9v4g"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/auth0/symfony/commit/0103d6f8dcef6996653fad1f823d1c167f472479"
+    },
+    {
+      "type": "PACKAGE",
+      "url": "https://github.com/auth0/symfony"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/auth0/symfony/releases/tag/5.6.0"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-1395",
+      "CWE-345",
+      "CWE-863"
+    ],
+    "severity": "MODERATE",
+    "github_reviewed": true,
+    "github_reviewed_at": "2025-12-17T20:56:37Z",
+    "nvd_published_at": null
+  }
+}
