Auth0-PHP SDK Brute Force Vulnerability in CookieStore Session Cookies

A vulnerability exists in the Auth0-PHP SDK, specifically in versions 8.0.0-BETA1 prior to 8.14.0, as well as in the Auth0 Symfony, Laravel Auth0, and WordPress SDKs that depend on Auth0-PHP. When these SDKs are used with session storage set to CookieStore, the authentication tags in session cookies can be brute-forced, potentially leading to unauthorized access. This issue arises because the authentication tags can be manipulated to gain access to user sessions.

Impact

Exploitation of this vulnerability allows for brute-forcing of authentication tags in session cookies, which can result in unauthorized access to user sessions.

Remediation

Users are advised to upgrade the Auth0-PHP SDK to version 8.14.0 or later. For those using the Auth0 Symfony, Laravel Auth0, or WordPress SDKs, it is recommended to upgrade to versions 5.4.0, 7.17.0, and 5.3.0 respectively. Additionally, rotating cookie encryption keys is advised, as previous session cookies will be rejected after the update.