MEDIUM 6.5
GHSA-ffq7-hh2j-r24p
Auth0 Symfony SDK Accepted Bearer Tokens via URL Query Parameter
Details
### Description Applications built with the Auth0 Symphony SDK, using the Authorizer security authenticator to protect HTTP routes may accept OAuth 2.0 bearer access tokens provided through a URL query parameter, in addition to the standard Authorization header, which may increase the risk of access token exposure and replay against protected API endpoints.
### Resolution Upgrade auth0/symfony to version 5.9.0 or greater.
### Acknowledgement Okta would like to thank Alex Yeara for their discovery.
Are you affected?
Enter the version of the package you're using.
Affected packages
Packagist / auth0/symfony
Introduced in:
5.0.0-BETA0 Fixed in: 5.9.0 Fix
composer require auth0/symfony:^5.9.0 References
- https://github.com/auth0/symfony/security/advisories/GHSA-ffq7-hh2j-r24p [WEB]
- https://github.com/auth0/symfony/commit/172d1d3e0b9d1e93610d786118389a811179bc8a [WEB]
- https://github.com/auth0/symfony/commit/bd1851b14ae15e99cbe87c96496cf25da025288a [WEB]
- https://github.com/auth0/symfony [PACKAGE]
- https://github.com/auth0/symfony/releases/tag/5.9.0 [WEB]