Auto-merge PR#3547

2025-08-04 08:44:25 +00:00 · 2020-04-09 11:50:17 -04:00 · 2020-04-09 11:50:17 -04:00 · 8598125ae1
commit 8598125ae1
parent 58f3a4cda4 c81f31a844
1 changed files with 76 additions and 6 deletions
--- a/2020/5xxx/CVE-2020-5263.json
+++ b/2020/5xxx/CVE-2020-5263.json
@ -1,18 +1,88 @@
 {
-    "data_type": "CVE",
-    "data_format": "MITRE",
-    "data_version": "4.0",
    "CVE_data_meta": {
+        "ASSIGNER": "security-advisories@github.com",
        "ID": "CVE-2020-5263",
-        "ASSIGNER": "cve@mitre.org",
-        "STATE": "RESERVED"
+        "STATE": "PUBLIC",
+        "TITLE": "Information disclosure through error object"
    },
+    "affects": {
+        "vendor": {
+            "vendor_data": [
+                {
+                    "product": {
+                        "product_data": [
+                            {
+                                "product_name": "auth0.js",
+                                "version": {
+                                    "version_data": [
+                                        {
+                                            "version_value": ">= 8.0.0, < 9.12.3"
+                                        }
+                                    ]
+                                }
+                            }
+                        ]
+                    },
+                    "vendor_name": "auth0"
+                }
+            ]
+        }
+    },
+    "data_format": "MITRE",
+    "data_type": "CVE",
+    "data_version": "4.0",
    "description": {
        "description_data": [
            {
                "lang": "eng",
-                "value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided."
+                "value": "auth0.js (NPM package auth0-js) greater than version 8.0.0 and before version 9.12.3 has a vulnerability. In the case of an (authentication) error, the error object returned by the library contains the original request of the user, which may include the plaintext password the user entered. If the error object is exposed or logged without modification, the application risks password exposure.\n\nThis is fixed in version 9.12.3"
            }
        ]
+    },
+    "impact": {
+        "cvss": {
+            "attackComplexity": "LOW",
+            "attackVector": "LOCAL",
+            "availabilityImpact": "NONE",
+            "baseScore": 5.5,
+            "baseSeverity": "MEDIUM",
+            "confidentialityImpact": "HIGH",
+            "integrityImpact": "NONE",
+            "privilegesRequired": "HIGH",
+            "scope": "CHANGED",
+            "userInteraction": "REQUIRED",
+            "vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:C/C:H/I:N/A:N",
+            "version": "3.1"
+        }
+    },
+    "problemtype": {
+        "problemtype_data": [
+            {
+                "description": [
+                    {
+                        "lang": "eng",
+                        "value": "CWE-522: Insufficiently Protected Credentials"
+                    }
+                ]
+            }
+        ]
+    },
+    "references": {
+        "reference_data": [
+            {
+                "name": "https://github.com/auth0/auth0.js/security/advisories/GHSA-prfq-f66g-43mp",
+                "refsource": "CONFIRM",
+                "url": "https://github.com/auth0/auth0.js/security/advisories/GHSA-prfq-f66g-43mp"
+            },
+            {
+                "name": "https://github.com/auth0/auth0.js/commit/355ca749b229fb93142f0b3978399b248d710828",
+                "refsource": "MISC",
+                "url": "https://github.com/auth0/auth0.js/commit/355ca749b229fb93142f0b3978399b248d710828"
+            }
+        ]
+    },
+    "source": {
+        "advisory": "GHSA-prfq-f66g-43mp",
+        "discovery": "UNKNOWN"
    }
 }