{"id":"CVE-2019-1020015","details":"graphql-engine (aka Hasura GraphQL Engine) before 1.0.0-beta.3 mishandles the audience check while verifying JWT.","modified":"2025-11-14T09:03:11.392121Z","published":"2019-07-29T13:15:12.090Z","references":[{"type":"FIX","url":"https://github.com/hasura/graphql-engine/commit/f2f14e727b051e3003ba44b9b63eab8186b291ac"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/hasura/graphql-engine","events":[{"introduced":"0"},{"fixed":"f2f14e727b051e3003ba44b9b63eab8186b291ac"}]}],"versions":["v1.0.0-alpha0","v1.0.0-alpha01","v1.0.0-alpha02","v1.0.0-alpha03","v1.0.0-alpha04","v1.0.0-alpha05","v1.0.0-alpha06","v1.0.0-alpha07","v1.0.0-alpha08","v1.0.0-alpha09","v1.0.0-alpha10","v1.0.0-alpha11","v1.0.0-alpha12","v1.0.0-alpha13","v1.0.0-alpha14","v1.0.0-alpha15","v1.0.0-alpha16","v1.0.0-alpha17","v1.0.0-alpha18","v1.0.0-alpha20","v1.0.0-alpha21","v1.0.0-alpha22","v1.0.0-alpha23","v1.0.0-alpha24","v1.0.0-alpha25","v1.0.0-alpha26","v1.0.0-alpha27","v1.0.0-alpha28","v1.0.0-alpha29","v1.0.0-alpha30","v1.0.0-alpha31","v1.0.0-alpha32","v1.0.0-alpha33","v1.0.0-alpha34","v1.0.0-alpha35","v1.0.0-alpha36","v1.0.0-alpha37","v1.0.0-alpha38","v1.0.0-alpha39","v1.0.0-alpha40","v1.0.0-alpha41","v1.0.0-alpha42","v1.0.0-alpha43","v1.0.0-alpha44","v1.0.0-alpha45","v1.0.0-beta.1","v1.0.0-beta.2"],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2019-1020015.json"}}],"schema_version":"1.7.3","severity":[{"type":"CVSS_V3","score":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"}]}