VDB
KO
MEDIUM 6.5

GHSA-ffq7-hh2j-r24p

Auth0 Symfony SDK Accepted Bearer Tokens via URL Query Parameter

Details

### Description Applications built with the Auth0 Symphony SDK, using the Authorizer security authenticator to protect HTTP routes may accept OAuth 2.0 bearer access tokens provided through a URL query parameter, in addition to the standard Authorization header, which may increase the risk of access token exposure and replay against protected API endpoints.

### Resolution Upgrade auth0/symfony to version 5.9.0 or greater.

### Acknowledgement Okta would like to thank Alex Yeara for their discovery.

Are you affected?

Enter the version of the package you're using.

Affected packages

Packagist / auth0/symfony
Introduced in: 5.0.0-BETA0 Fixed in: 5.9.0
Fix composer require auth0/symfony:^5.9.0

References