Dennis Detering

**Name of the Vulnerable Software and Affected Versions** Logstash versions prior to 7.4.1 Logstash versions prior to 6.8.4 **Description** The issue is a denial of service flaw in the Logstash Beats input plugin. An unauthenticated user who can connect to the port the Logstash beats input is using could send a specially crafted network packet, causing Logstash to stop responding. **Recommendations** For versions prior to 7.4.1, update to version 7.4.1 or later. For versions prior to 6.8.4, update to version 6.8.4 or later.

**Name of the Vulnerable Software and Affected Versions** Auth0 versions prior to 6.5.4 **Description** The issue is related to Incorrect Access Control in Auth0, where the IdentityTokenValidator can be accidentally used to validate untrusted ID tokens, potentially leading to unauthorized access. **Recommendations** For versions prior to 6.5.4, update to version 6.5.4 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** jwt versions prior to 1.0.3 **Description** The issue concerns a timing attack that can be used to spoof signatures. This is due to the `verify` function in `Encryption/Symmetric.php` not utilizing a timing-safe function for hash comparison, allowing attackers to exploit this weakness. **Recommendations** For versions prior to 1.0.3, update to version 1.0.3 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** jwcrypto versions prior to 0.3.2 **Description** The issue concerns the RSA 1.5 algorithm implementation in jwa.py, which lacks the Random Filling protection mechanism. This makes it easier for remote attackers to obtain cleartext data via a Million Message Attack (MMA). **Recommendations** For versions prior to 0.3.2, update to version 0.3.2 or later to resolve the issue. As a temporary workaround, consider restricting the use of the RSA 1.5 algorithm implementation until a patch is available.