Vulnerability Database

296,480

Total vulnerabilities in the database

Auth0 Symfony SDK Does Not Properly Handle File Types in Bulk User Import

Overview

In applications built with the Auth0-PHP SDK, the Bulk User Import endpoint does not validate the file path wrapper or value. Without proper validation, affected applications may accept arbitrary file paths or URLs.

Am I affected?

You are affected by this vulnerability if you meet the following preconditions:

  1. Applications using the Auth0 Symfony SDK with versions between 2.0.2 and 5.4.1,
  2. Auth0 Symfony SDK uses the Auth0-PHP SDK with versions between 3.3.0 and 8.16.0.

Fix

Upgrade Auth0/symfony to version 5.5.0 or greater.

Acknowledgement

Okta would like to thank Mohamed Amine Saidani (pwni) for discovering this vulnerability.

CVSS v3:

  • Severity: Unknown
  • Score:
  • AV:N/AC:H/PR:H/UI:N/S:U/C:L/I:L/A:N

CWEs: