CVE 2020-15259: Security Update for ad-ldap-connector - Auth0 Docs

Published: 05 November 2020 CVE number: CVE-2020-15259

Overview

The ad-ldap-connector admin console does not provide CSRF protection, which when exploited may result in remote code execution or confidential data loss. CSRF exploits may occur if the user visits a malicious page containing CSRF payload on the same machine that has access to the ad-ldap-connector admin console via a browser.

Am I affected?

You may be affected if you use the admin console included with ad-ldap-connector versions <=5.0.12. If you do not have ad-ldap-connector admin console enabled or do not visit any other public URL while on the machine it is installed on, you are not affected.

How to fix that?

Upgrade to the latest version of ad-ldap-connector and restart your admin console.

Will this update impact my users?

The fix provided in this version will not affect your users.

CVE-2021-32641: Security Update for Auth0 Lock Library

CVE-2020-15240: Security Update for omniauth-auth0 JWT Validation

⌘I