Here is a list of Auth0 security bulletins that address security vulnerabilities of Auth0 software. Each bulletin contains a description of the vulnerability, how to identify if you are affected, and what to do to fix it.
|Date||Bulletin number||Title||Affected software|
|November 05, 2020||CVE-2020-15259||Auth0 Security Bulletin for ad-ldap-connector versions <= 5.0.12||AD/LDAP Connector|
|October 21, 2020||CVE-2020-15240||Security Update for omniauth-auth0 JWT Validation||omniauth-auth0|
|August 16, 2020||CVE-2020-15119||Security Update for Auth0 Lock <= 11.25.1||Auth0 Lock|
|July 28, 2020||CVE-2020-15125||Auth0 Security Bulletin for node-auth0 <= 2.27.0||node-auth0|
|June 30, 2020||CVE-2020-15084||Auth0 Security Bulletin for express-jwt versions < 6.0.0||express-jwt|
|April 09, 2020||CVE-2020-5263||Auth0 Security Bulletin for auth0.js versions <= 9.13.1||Auth0.js|
|March 31, 2020||Auth0 Bulletin||Auth0 Security Bulletin for WordPress Plugin for Auth0 versions < 4.0.0||WordPress Plugin for Auth0|
|January 31, 2020||CVE-2019-20173||Auth0 Security Bulletin for WordPress Plugin for Auth0 versions 3.11.0, 3.11.1 and 3.11.2||WordPress Plugin for Auth0|
|January 30, 2020||CVE-2019-20174||Auth0 Security Bulletin for Auth0 Lock < 11.21.0||Auth0 Lock|
|October 04, 2019||CVE-2019-16929||Auth0 Security Bulletin for auth0.net between versions 5.8.0 and 6.5.3 inclusive||auth0.net|
|September 05, 2019||Auth0 bulletin||Auth0 Security Bulletin for assigning scopes based on email address||Custom code within Auth0 rules|
|July 23, 2019||CVE-2019-13483||Security Bulletin for Passport-SharePoint < 0.4.0||Passport-SharePoint|
|February 15, 2019||CVE-2019-7644||Security Bulletin for Auth0-WCF-Service-JWT < 1.0.4||Auth0-WCF-Service-JWT|
|January 10, 2019||Auth0 bulletin||Auth0 Security Bulletin for Vulnerable Patterns in Custom Rule Code||Custom code within Auth0 Rules|
|August 6, 2018||CVE-2018-15121||Security vulnerability in deprecated Auth0 middleware for ASP.NET||auth0-aspnet, auth0-aspnet-owin|
|June 5, 2018||CVE-2018-11537||Security update for angular-jwt allowlist bypass||angular-jwt|
|April 4, 2018||CVE-2018-6874||Security vulnerability for Auth0 authentication service||Auth0 Authentication Service|
|April 4, 2018||CVE 2018-6873||Security vulnerability for Auth0 authentication service||Auth0 Authentication Service|
|February 26, 2018||CVE 2018-7307||Security vulnerability for auth0.js < 9.3||Auth0.js|
|December 22, 2017||CVE 2017-16897||Security update for passport-wsfed-saml2 Passport strategy library||passport-wsfed-saml2 Passport strategy library|
|December 4, 2017||CVE 2017-17068||Security update for auth0.js popup callback vulnerability||Auth0.js|
Prevent cybersecurity threats
Some common cybersecurity threats include:
Bucket brigade attacks
Cross-site Request Forgery (CSRF or XSRF) attacks
Suspicious IP throttling
Credential stuffing attacks
List validation attacks
Auth0 has attack protection features that can shield against certain types of attacks.
If your environment is behind a firewall, custom database connections, hooks, and rules may require you to add specific Auth0 IP addresses to the AllowList to ensure proper functionality.
If there are user fields that should not be stored in Auth0 databases due to privacy reasons, you can add user attributes to the Deny List. In a situation where you want to revoke an access token so that it can no longer be used, you can use the Deny List or application grants. To learn more, see Revoke Access to API Using Deny List or Application Grants.