CVE-2018-11537 — Auth0 angular-jwt misinterprets allowlist as regex

Description

Auth0 angular-jwt before 0.1.10 treats whiteListedDomains entries as regular expressions, which allows remote attackers with knowledge of the `jwtInterceptorProvider.whiteListedDomains` setting to bypass the domain allowlist filter via a crafted domain. For example, if the setting is initialized with: `jwtInterceptorProvider.whiteListedDomains = ['whitelisted.Example.com'];` An attacker can set up a domain `whitelistedXexample.com` that will pass the allow list filter, as it considers the `.` separator to be a regex whildcard which matches any character.

How to fix CVE-2018-11537

To remediate CVE-2018-11537, upgrade the affected package to a fixed version below.

—upgrade to 0.1.10 or later

Is CVE-2018-11537 being exploited?

Low — EPSS is 0.5%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

from 0, < 0.1.10

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	MEDIUM6.5	CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N

References (6)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2018-11537
PATCHgithub.com/auth0/angular-jwt
WEBauth0.com/docs/security/bulletins/cve-2018-11537
WEBgithub.com/auth0/angular-jwt/commit/a4f03b49c3fb47cc6375c2a33b5ac11ca3c606f0