cvelistv5 - cve-2020-5263

CVE-2020-5263 (GCVE-0-2020-5263)

Vulnerability from cvelistv5 – Published: 2020-04-09 15:50 – Updated: 2024-08-04 08:22

Summary

auth0.js (NPM package auth0-js) greater than version 8.0.0 and before version 9.12.3 has a vulnerability. In the case of an (authentication) error, the error object returned by the library contains the original request of the user, which may include the plaintext password the user entered. If the error object is exposed or logged without modification, the application risks password exposure. This is fixed in version 9.12.3

Severity ?

5.5 (Medium)


                        
                          CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:C/C:H/I:N/A:N

CWE

CWE-522 - Insufficiently Protected Credentials

Assigner

GitHub_M

References

URL

Tags

	https://github.com/auth0/auth0.js/security/adviso…	x_refsource_CONFIRM
	https://github.com/auth0/auth0.js/commit/355ca749…	x_refsource_MISC

Impacted products

	Vendor	Product	Version
	auth0	auth0.js	Affected: >= 8.0.0, < 9.12.3

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-04T08:22:09.088Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://github.com/auth0/auth0.js/security/advisories/GHSA-prfq-f66g-43mp"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://github.com/auth0/auth0.js/commit/355ca749b229fb93142f0b3978399b248d710828"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "auth0.js",
          "vendor": "auth0",
          "versions": [
            {
              "status": "affected",
              "version": "\u003e= 8.0.0, \u003c 9.12.3"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "auth0.js (NPM package auth0-js) greater than version 8.0.0 and before version 9.12.3 has a vulnerability. In the case of an (authentication) error, the error object returned by the library contains the original request of the user, which may include the plaintext password the user entered. If the error object is exposed or logged without modification, the application risks password exposure. This is fixed in version 9.12.3"
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "LOCAL",
            "availabilityImpact": "NONE",
            "baseScore": 5.5,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "NONE",
            "privilegesRequired": "HIGH",
            "scope": "CHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:C/C:H/I:N/A:N",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-522",
              "description": "CWE-522: Insufficiently Protected Credentials",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2020-04-09T15:50:12",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/auth0/auth0.js/security/advisories/GHSA-prfq-f66g-43mp"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/auth0/auth0.js/commit/355ca749b229fb93142f0b3978399b248d710828"
        }
      ],
      "source": {
        "advisory": "GHSA-prfq-f66g-43mp",
        "discovery": "UNKNOWN"
      },
      "title": "Information disclosure through error object",
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "security-advisories@github.com",
          "ID": "CVE-2020-5263",
          "STATE": "PUBLIC",
          "TITLE": "Information disclosure through error object"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "auth0.js",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "\u003e= 8.0.0, \u003c 9.12.3"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "auth0"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "auth0.js (NPM package auth0-js) greater than version 8.0.0 and before version 9.12.3 has a vulnerability. In the case of an (authentication) error, the error object returned by the library contains the original request of the user, which may include the plaintext password the user entered. If the error object is exposed or logged without modification, the application risks password exposure. This is fixed in version 9.12.3"
            }
          ]
        },
        "impact": {
          "cvss": {
            "attackComplexity": "LOW",
            "attackVector": "LOCAL",
            "availabilityImpact": "NONE",
            "baseScore": 5.5,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "NONE",
            "privilegesRequired": "HIGH",
            "scope": "CHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:C/C:H/I:N/A:N",
            "version": "3.1"
          }
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "CWE-522: Insufficiently Protected Credentials"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://github.com/auth0/auth0.js/security/advisories/GHSA-prfq-f66g-43mp",
              "refsource": "CONFIRM",
              "url": "https://github.com/auth0/auth0.js/security/advisories/GHSA-prfq-f66g-43mp"
            },
            {
              "name": "https://github.com/auth0/auth0.js/commit/355ca749b229fb93142f0b3978399b248d710828",
              "refsource": "MISC",
              "url": "https://github.com/auth0/auth0.js/commit/355ca749b229fb93142f0b3978399b248d710828"
            }
          ]
        },
        "source": {
          "advisory": "GHSA-prfq-f66g-43mp",
          "discovery": "UNKNOWN"
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2020-5263",
    "datePublished": "2020-04-09T15:50:12",
    "dateReserved": "2020-01-02T00:00:00",
    "dateUpdated": "2024-08-04T08:22:09.088Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "fkie_nvd": {
      "configurations": "[{\"nodes\": [{\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:auth0:auth0.js:*:*:*:*:*:*:*:*\", \"versionStartIncluding\": \"8.0.0\", \"versionEndIncluding\": \"9.13.1\", \"matchCriteriaId\": \"610E2D65-C419-40AD-B656-4F4E241E61D0\"}]}]}]",
      "descriptions": "[{\"lang\": \"en\", \"value\": \"auth0.js (NPM package auth0-js) greater than version 8.0.0 and before version 9.12.3 has a vulnerability. In the case of an (authentication) error, the error object returned by the library contains the original request of the user, which may include the plaintext password the user entered. If the error object is exposed or logged without modification, the application risks password exposure. This is fixed in version 9.12.3\"}, {\"lang\": \"es\", \"value\": \"auth0.js (paquete NPM auth0-js) versiones superiores a 8.0.0 y versiones anteriores 9.12.3, presenta una vulnerabilidad. En el caso de un error de (autenticaci\\u00f3n), el objeto del error devuelto por la biblioteca contiene la petici\\u00f3n original del usuario, que puede incluir la contrase\\u00f1a de texto plano que ingres\\u00f3 el usuario. Si el objeto de error se expone o registra sin modificaci\\u00f3n, la aplicaci\\u00f3n corre el riesgo de exponer la contrase\\u00f1a. Esto es corregido en la versi\\u00f3n 9.12.3\"}]",
      "id": "CVE-2020-5263",
      "lastModified": "2024-11-21T05:33:47.647",
      "metrics": "{\"cvssMetricV31\": [{\"source\": \"security-advisories@github.com\", \"type\": \"Secondary\", \"cvssData\": {\"version\": \"3.1\", \"vectorString\": \"CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:C/C:H/I:N/A:N\", \"baseScore\": 5.5, \"baseSeverity\": \"MEDIUM\", \"attackVector\": \"LOCAL\", \"attackComplexity\": \"LOW\", \"privilegesRequired\": \"HIGH\", \"userInteraction\": \"REQUIRED\", \"scope\": \"CHANGED\", \"confidentialityImpact\": \"HIGH\", \"integrityImpact\": \"NONE\", \"availabilityImpact\": \"NONE\"}, \"exploitabilityScore\": 1.1, \"impactScore\": 4.0}, {\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"cvssData\": {\"version\": \"3.1\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N\", \"baseScore\": 4.9, \"baseSeverity\": \"MEDIUM\", \"attackVector\": \"NETWORK\", \"attackComplexity\": \"LOW\", \"privilegesRequired\": \"HIGH\", \"userInteraction\": \"NONE\", \"scope\": \"UNCHANGED\", \"confidentialityImpact\": \"HIGH\", \"integrityImpact\": \"NONE\", \"availabilityImpact\": \"NONE\"}, \"exploitabilityScore\": 1.2, \"impactScore\": 3.6}], \"cvssMetricV2\": [{\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"cvssData\": {\"version\": \"2.0\", \"vectorString\": \"AV:N/AC:L/Au:S/C:P/I:N/A:N\", \"baseScore\": 4.0, \"accessVector\": \"NETWORK\", \"accessComplexity\": \"LOW\", \"authentication\": \"SINGLE\", \"confidentialityImpact\": \"PARTIAL\", \"integrityImpact\": \"NONE\", \"availabilityImpact\": \"NONE\"}, \"baseSeverity\": \"MEDIUM\", \"exploitabilityScore\": 8.0, \"impactScore\": 2.9, \"acInsufInfo\": false, \"obtainAllPrivilege\": false, \"obtainUserPrivilege\": false, \"obtainOtherPrivilege\": false, \"userInteractionRequired\": false}]}",
      "published": "2020-04-09T16:15:12.160",
      "references": "[{\"url\": \"https://github.com/auth0/auth0.js/commit/355ca749b229fb93142f0b3978399b248d710828\", \"source\": \"security-advisories@github.com\", \"tags\": [\"Patch\", \"Third Party Advisory\"]}, {\"url\": \"https://github.com/auth0/auth0.js/security/advisories/GHSA-prfq-f66g-43mp\", \"source\": \"security-advisories@github.com\", \"tags\": [\"Third Party Advisory\"]}, {\"url\": \"https://github.com/auth0/auth0.js/commit/355ca749b229fb93142f0b3978399b248d710828\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Patch\", \"Third Party Advisory\"]}, {\"url\": \"https://github.com/auth0/auth0.js/security/advisories/GHSA-prfq-f66g-43mp\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Third Party Advisory\"]}]",
      "sourceIdentifier": "security-advisories@github.com",
      "vulnStatus": "Modified",
      "weaknesses": "[{\"source\": \"security-advisories@github.com\", \"type\": \"Secondary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-522\"}]}, {\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-522\"}]}]"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2020-5263\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2020-04-09T16:15:12.160\",\"lastModified\":\"2024-11-21T05:33:47.647\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"auth0.js (NPM package auth0-js) greater than version 8.0.0 and before version 9.12.3 has a vulnerability. In the case of an (authentication) error, the error object returned by the library contains the original request of the user, which may include the plaintext password the user entered. If the error object is exposed or logged without modification, the application risks password exposure. This is fixed in version 9.12.3\"},{\"lang\":\"es\",\"value\":\"auth0.js (paquete NPM auth0-js) versiones superiores a 8.0.0 y versiones anteriores 9.12.3, presenta una vulnerabilidad. En el caso de un error de (autenticaci\u00f3n), el objeto del error devuelto por la biblioteca contiene la petici\u00f3n original del usuario, que puede incluir la contrase\u00f1a de texto plano que ingres\u00f3 el usuario. Si el objeto de error se expone o registra sin modificaci\u00f3n, la aplicaci\u00f3n corre el riesgo de exponer la contrase\u00f1a. Esto es corregido en la versi\u00f3n 9.12.3\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:C/C:H/I:N/A:N\",\"baseScore\":5.5,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"LOCAL\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"HIGH\",\"userInteraction\":\"REQUIRED\",\"scope\":\"CHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":1.1,\"impactScore\":4.0},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N\",\"baseScore\":4.9,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"HIGH\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":1.2,\"impactScore\":3.6}],\"cvssMetricV2\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"2.0\",\"vectorString\":\"AV:N/AC:L/Au:S/C:P/I:N/A:N\",\"baseScore\":4.0,\"accessVector\":\"NETWORK\",\"accessComplexity\":\"LOW\",\"authentication\":\"SINGLE\",\"confidentialityImpact\":\"PARTIAL\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"NONE\"},\"baseSeverity\":\"MEDIUM\",\"exploitabilityScore\":8.0,\"impactScore\":2.9,\"acInsufInfo\":false,\"obtainAllPrivilege\":false,\"obtainUserPrivilege\":false,\"obtainOtherPrivilege\":false,\"userInteractionRequired\":false}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-522\"}]},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-522\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:auth0:auth0.js:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"8.0.0\",\"versionEndIncluding\":\"9.13.1\",\"matchCriteriaId\":\"610E2D65-C419-40AD-B656-4F4E241E61D0\"}]}]}],\"references\":[{\"url\":\"https://github.com/auth0/auth0.js/commit/355ca749b229fb93142f0b3978399b248d710828\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Patch\",\"Third Party Advisory\"]},{\"url\":\"https://github.com/auth0/auth0.js/security/advisories/GHSA-prfq-f66g-43mp\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://github.com/auth0/auth0.js/commit/355ca749b229fb93142f0b3978399b248d710828\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Patch\",\"Third Party Advisory\"]},{\"url\":\"https://github.com/auth0/auth0.js/security/advisories/GHSA-prfq-f66g-43mp\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Third Party Advisory\"]}]}}"
  }
}

GSD-2020-5263

Vulnerability from gsd - Updated: 2023-12-13 01:22

Details

Aliases

CVE-2020-5263

Aliases

CVE-2020-5263

JSON

To clipboard

{
  "GSD": {
    "alias": "CVE-2020-5263",
    "description": "auth0.js (NPM package auth0-js) greater than version 8.0.0 and before version 9.12.3 has a vulnerability. In the case of an (authentication) error, the error object returned by the library contains the original request of the user, which may include the plaintext password the user entered. If the error object is exposed or logged without modification, the application risks password exposure. This is fixed in version 9.12.3",
    "id": "GSD-2020-5263"
  },
  "gsd": {
    "metadata": {
      "exploitCode": "unknown",
      "remediation": "unknown",
      "reportConfidence": "confirmed",
      "type": "vulnerability"
    },
    "osvSchema": {
      "aliases": [
        "CVE-2020-5263"
      ],
      "details": "auth0.js (NPM package auth0-js) greater than version 8.0.0 and before version 9.12.3 has a vulnerability. In the case of an (authentication) error, the error object returned by the library contains the original request of the user, which may include the plaintext password the user entered. If the error object is exposed or logged without modification, the application risks password exposure. This is fixed in version 9.12.3",
      "id": "GSD-2020-5263",
      "modified": "2023-12-13T01:22:03.709071Z",
      "schema_version": "1.4.0"
    }
  },
  "namespaces": {
    "cve.org": {
      "CVE_data_meta": {
        "ASSIGNER": "security-advisories@github.com",
        "ID": "CVE-2020-5263",
        "STATE": "PUBLIC",
        "TITLE": "Information disclosure through error object"
      },
      "affects": {
        "vendor": {
          "vendor_data": [
            {
              "product": {
                "product_data": [
                  {
                    "product_name": "auth0.js",
                    "version": {
                      "version_data": [
                        {
                          "version_value": "\u003e= 8.0.0, \u003c 9.12.3"
                        }
                      ]
                    }
                  }
                ]
              },
              "vendor_name": "auth0"
            }
          ]
        }
      },
      "data_format": "MITRE",
      "data_type": "CVE",
      "data_version": "4.0",
      "description": {
        "description_data": [
          {
            "lang": "eng",
            "value": "auth0.js (NPM package auth0-js) greater than version 8.0.0 and before version 9.12.3 has a vulnerability. In the case of an (authentication) error, the error object returned by the library contains the original request of the user, which may include the plaintext password the user entered. If the error object is exposed or logged without modification, the application risks password exposure. This is fixed in version 9.12.3"
          }
        ]
      },
      "impact": {
        "cvss": {
          "attackComplexity": "LOW",
          "attackVector": "LOCAL",
          "availabilityImpact": "NONE",
          "baseScore": 5.5,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "NONE",
          "privilegesRequired": "HIGH",
          "scope": "CHANGED",
          "userInteraction": "REQUIRED",
          "vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:C/C:H/I:N/A:N",
          "version": "3.1"
        }
      },
      "problemtype": {
        "problemtype_data": [
          {
            "description": [
              {
                "lang": "eng",
                "value": "CWE-522: Insufficiently Protected Credentials"
              }
            ]
          }
        ]
      },
      "references": {
        "reference_data": [
          {
            "name": "https://github.com/auth0/auth0.js/security/advisories/GHSA-prfq-f66g-43mp",
            "refsource": "CONFIRM",
            "url": "https://github.com/auth0/auth0.js/security/advisories/GHSA-prfq-f66g-43mp"
          },
          {
            "name": "https://github.com/auth0/auth0.js/commit/355ca749b229fb93142f0b3978399b248d710828",
            "refsource": "MISC",
            "url": "https://github.com/auth0/auth0.js/commit/355ca749b229fb93142f0b3978399b248d710828"
          }
        ]
      },
      "source": {
        "advisory": "GHSA-prfq-f66g-43mp",
        "discovery": "UNKNOWN"
      }
    },
    "gitlab.com": {
      "advisories": [
        {
          "affected_range": "\u003e=8.0.0 \u003c=9.13.1",
          "affected_versions": "All versions starting from 8.0.0 up to 9.13.1",
          "cvss_v2": "AV:N/AC:L/Au:S/C:P/I:N/A:N",
          "cvss_v3": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N",
          "cwe_ids": [
            "CWE-1035",
            "CWE-522",
            "CWE-937"
          ],
          "date": "2020-04-10",
          "description": "In the case of an (authentication) error, the error object returned by the library contains the original request of the user, which may include the plaintext password the user entered. If the error object is exposed or logged without modification, the application risks password exposure.",
          "fixed_versions": [
            "9.13.2"
          ],
          "identifier": "CVE-2020-5263",
          "identifiers": [
            "CVE-2020-5263",
            "GHSA-prfq-f66g-43mp"
          ],
          "not_impacted": "All versions before 8.0.0, all versions after 9.13.1",
          "package_slug": "npm/auth0-js",
          "pubdate": "2020-04-09",
          "solution": "Upgrade to version 9.13.2 or above.",
          "title": "Insufficiently Protected Credentials",
          "urls": [
            "https://nvd.nist.gov/vuln/detail/CVE-2020-5263"
          ],
          "uuid": "f185589f-8262-4dfc-b676-b98a9cef9e2f"
        }
      ]
    },
    "nvd.nist.gov": {
      "configurations": {
        "CVE_data_version": "4.0",
        "nodes": [
          {
            "children": [],
            "cpe_match": [
              {
                "cpe23Uri": "cpe:2.3:a:auth0:auth0.js:*:*:*:*:*:*:*:*",
                "cpe_name": [],
                "versionEndIncluding": "9.13.1",
                "versionStartIncluding": "8.0.0",
                "vulnerable": true
              }
            ],
            "operator": "OR"
          }
        ]
      },
      "cve": {
        "CVE_data_meta": {
          "ASSIGNER": "security-advisories@github.com",
          "ID": "CVE-2020-5263"
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "en",
              "value": "auth0.js (NPM package auth0-js) greater than version 8.0.0 and before version 9.12.3 has a vulnerability. In the case of an (authentication) error, the error object returned by the library contains the original request of the user, which may include the plaintext password the user entered. If the error object is exposed or logged without modification, the application risks password exposure. This is fixed in version 9.12.3"
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "en",
                  "value": "CWE-522"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://github.com/auth0/auth0.js/commit/355ca749b229fb93142f0b3978399b248d710828",
              "refsource": "MISC",
              "tags": [
                "Patch",
                "Third Party Advisory"
              ],
              "url": "https://github.com/auth0/auth0.js/commit/355ca749b229fb93142f0b3978399b248d710828"
            },
            {
              "name": "https://github.com/auth0/auth0.js/security/advisories/GHSA-prfq-f66g-43mp",
              "refsource": "CONFIRM",
              "tags": [
                "Third Party Advisory"
              ],
              "url": "https://github.com/auth0/auth0.js/security/advisories/GHSA-prfq-f66g-43mp"
            }
          ]
        }
      },
      "impact": {
        "baseMetricV2": {
          "acInsufInfo": false,
          "cvssV2": {
            "accessComplexity": "LOW",
            "accessVector": "NETWORK",
            "authentication": "SINGLE",
            "availabilityImpact": "NONE",
            "baseScore": 4.0,
            "confidentialityImpact": "PARTIAL",
            "integrityImpact": "NONE",
            "vectorString": "AV:N/AC:L/Au:S/C:P/I:N/A:N",
            "version": "2.0"
          },
          "exploitabilityScore": 8.0,
          "impactScore": 2.9,
          "obtainAllPrivilege": false,
          "obtainOtherPrivilege": false,
          "obtainUserPrivilege": false,
          "severity": "MEDIUM",
          "userInteractionRequired": false
        },
        "baseMetricV3": {
          "cvssV3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 4.9,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "NONE",
            "privilegesRequired": "HIGH",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N",
            "version": "3.1"
          },
          "exploitabilityScore": 1.2,
          "impactScore": 3.6
        }
      },
      "lastModifiedDate": "2020-04-10T13:25Z",
      "publishedDate": "2020-04-09T16:15Z"
    }
  }
}

GHSA-PRFQ-F66G-43MP

Vulnerability from github – Published: 2020-04-10 18:19 – Updated: 2021-01-08 20:23

Summary

Information disclosure through error object in auth0.js

Details

Overview

Between versions 8.0.0 and 9.13.1(inclusive), in the case of an (authentication) error, the error object returned by the library contains the original request of the user, which may include the plaintext password the user entered.

If the error object is exposed or logged without modification, the application risks password exposure.

Am I affected?

You are affected by this vulnerability if all of the following conditions apply:

You are using Auth0.js version between 8.0.0 and 9.13.1(inclusive).
You store or display error objects without filtering.

How to fix that?

Developers should upgrade auth0.js to version 9.13.2 or later where user inputted passwords are masked in errors. If upgrading is not possible, a temporary fix may include not storing the error object or displaying it publicly without modification.

Will this update impact my users?

This fix patches the Auth0.js and may require changes in application code due to password no longer available in error object, but it will not impact your users, their current state, or any existing sessions.

Severity ?

5.5 (Medium)


                  
                    CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:C/C:H/I:N/A:N

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "auth0-js"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "8.0.0"
            },
            {
              "fixed": "9.13.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2020-5263"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-522"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2020-04-09T15:53:16Z",
    "nvd_published_at": null,
    "severity": "HIGH"
  },
  "details": "## Overview\nBetween versions 8.0.0 and  9.13.1(inclusive), in the case of an (authentication) error, the error object returned by the library contains the original request of the user, which may include the plaintext password the user entered. \n\nIf the error object is exposed or logged without modification, the application risks password exposure.\n\n## Am I affected?\nYou are affected by this vulnerability if all of the following conditions apply:\n\n- You are using Auth0.js version between 8.0.0 and 9.13.1(inclusive).\n- You store or display error objects without filtering. \n\n## How to fix that?\nDevelopers should upgrade auth0.js to version 9.13.2 or later where user inputted passwords are masked in errors. If upgrading is not possible, a temporary fix may include not storing the error object or displaying it publicly without modification.\n\n## Will this update impact my users?\n\nThis fix patches the Auth0.js and may require changes in application code due to password no longer available in error object, but it will not impact your users, their current state, or any existing sessions.",
  "id": "GHSA-prfq-f66g-43mp",
  "modified": "2021-01-08T20:23:16Z",
  "published": "2020-04-10T18:19:10Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/auth0/auth0.js/security/advisories/GHSA-prfq-f66g-43mp"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-5263"
    },
    {
      "type": "WEB",
      "url": "https://github.com/auth0/auth0.js/commit/355ca749b229fb93142f0b3978399b248d710828"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:C/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Information disclosure through error object in auth0.js"
}

FKIE_CVE-2020-5263

Vulnerability from fkie_nvd - Published: 2020-04-09 16:15 - Updated: 2024-11-21 05:33

Severity ?

5.5 (Medium) - CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:C/C:H/I:N/A:N
4.9 (Medium) - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N

Summary

References

URL	Tags
security-advisories@github.com	https://github.com/auth0/auth0.js/commit/355ca749b229fb93142f0b3978399b248d710828	Patch, Third Party Advisory
security-advisories@github.com	https://github.com/auth0/auth0.js/security/advisories/GHSA-prfq-f66g-43mp	Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	https://github.com/auth0/auth0.js/commit/355ca749b229fb93142f0b3978399b248d710828	Patch, Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	https://github.com/auth0/auth0.js/security/advisories/GHSA-prfq-f66g-43mp	Third Party Advisory

Impacted products

	Vendor	Product	Version
	auth0	auth0.js	*

JSON

To clipboard

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:auth0:auth0.js:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "610E2D65-C419-40AD-B656-4F4E241E61D0",
              "versionEndIncluding": "9.13.1",
              "versionStartIncluding": "8.0.0",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "auth0.js (NPM package auth0-js) greater than version 8.0.0 and before version 9.12.3 has a vulnerability. In the case of an (authentication) error, the error object returned by the library contains the original request of the user, which may include the plaintext password the user entered. If the error object is exposed or logged without modification, the application risks password exposure. This is fixed in version 9.12.3"
    },
    {
      "lang": "es",
      "value": "auth0.js (paquete NPM auth0-js) versiones superiores a 8.0.0 y versiones anteriores 9.12.3, presenta una vulnerabilidad. En el caso de un error de (autenticaci\u00f3n), el objeto del error devuelto por la biblioteca contiene la petici\u00f3n original del usuario, que puede incluir la contrase\u00f1a de texto plano que ingres\u00f3 el usuario. Si el objeto de error se expone o registra sin modificaci\u00f3n, la aplicaci\u00f3n corre el riesgo de exponer la contrase\u00f1a. Esto es corregido en la versi\u00f3n 9.12.3"
    }
  ],
  "id": "CVE-2020-5263",
  "lastModified": "2024-11-21T05:33:47.647",
  "metrics": {
    "cvssMetricV2": [
      {
        "acInsufInfo": false,
        "baseSeverity": "MEDIUM",
        "cvssData": {
          "accessComplexity": "LOW",
          "accessVector": "NETWORK",
          "authentication": "SINGLE",
          "availabilityImpact": "NONE",
          "baseScore": 4.0,
          "confidentialityImpact": "PARTIAL",
          "integrityImpact": "NONE",
          "vectorString": "AV:N/AC:L/Au:S/C:P/I:N/A:N",
          "version": "2.0"
        },
        "exploitabilityScore": 8.0,
        "impactScore": 2.9,
        "obtainAllPrivilege": false,
        "obtainOtherPrivilege": false,
        "obtainUserPrivilege": false,
        "source": "nvd@nist.gov",
        "type": "Primary",
        "userInteractionRequired": false
      }
    ],
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "LOCAL",
          "availabilityImpact": "NONE",
          "baseScore": 5.5,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "NONE",
          "privilegesRequired": "HIGH",
          "scope": "CHANGED",
          "userInteraction": "REQUIRED",
          "vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:C/C:H/I:N/A:N",
          "version": "3.1"
        },
        "exploitabilityScore": 1.1,
        "impactScore": 4.0,
        "source": "security-advisories@github.com",
        "type": "Secondary"
      },
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 4.9,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "NONE",
          "privilegesRequired": "HIGH",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N",
          "version": "3.1"
        },
        "exploitabilityScore": 1.2,
        "impactScore": 3.6,
        "source": "nvd@nist.gov",
        "type": "Primary"
      }
    ]
  },
  "published": "2020-04-09T16:15:12.160",
  "references": [
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Patch",
        "Third Party Advisory"
      ],
      "url": "https://github.com/auth0/auth0.js/commit/355ca749b229fb93142f0b3978399b248d710828"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://github.com/auth0/auth0.js/security/advisories/GHSA-prfq-f66g-43mp"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Patch",
        "Third Party Advisory"
      ],
      "url": "https://github.com/auth0/auth0.js/commit/355ca749b229fb93142f0b3978399b248d710828"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://github.com/auth0/auth0.js/security/advisories/GHSA-prfq-f66g-43mp"
    }
  ],
  "sourceIdentifier": "security-advisories@github.com",
  "vulnStatus": "Modified",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-522"
        }
      ],
      "source": "security-advisories@github.com",
      "type": "Secondary"
    },
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-522"
        }
      ],
      "source": "nvd@nist.gov",
      "type": "Primary"
    }
  ]
}

CNVD-2020-22981

Vulnerability from cnvd - Published: 2020-04-15

Title

auth0.js信息泄露漏洞

Description

auth0.js是一款用于Auth0 API（应用程序编程接口）的客户端JavaScript工具包。 auth0.js (NPM package auth0-js) 8.0.0版本至9.13.1版本中存在安全漏洞。攻击者可利用该漏洞获取密码。

Severity

中

Patch Name

auth0.js信息泄露漏洞的补丁

Patch Description

auth0.js是一款用于Auth0 API（应用程序编程接口）的客户端JavaScript工具包。 auth0.js (NPM package auth0-js) 8.0.0版本至9.13.1版本中存在安全漏洞。攻击者可利用该漏洞获取密码。目前，供应商发布了安全公告及相关补丁信息，修复了此漏洞。

Formal description

目前厂商已发布升级补丁以修复漏洞，补丁获取链接： https://github.com/auth0/auth0.js/security/advisories/GHSA-prfq-f66g-43mp

Impacted products

Name
Auth0 auth0.js >=8.0.0，<=9.13.1

Show details on source website

JSON

To clipboard

{
  "cves": {
    "cve": {
      "cveNumber": "CVE-2020-5263"
    }
  },
  "description": "auth0.js\u662f\u4e00\u6b3e\u7528\u4e8eAuth0 API\uff08\u5e94\u7528\u7a0b\u5e8f\u7f16\u7a0b\u63a5\u53e3\uff09\u7684\u5ba2\u6237\u7aefJavaScript\u5de5\u5177\u5305\u3002\n\nauth0.js (NPM package auth0-js) 8.0.0\u7248\u672c\u81f39.13.1\u7248\u672c\u4e2d\u5b58\u5728\u5b89\u5168\u6f0f\u6d1e\u3002\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u83b7\u53d6\u5bc6\u7801\u3002",
  "formalWay": "\u76ee\u524d\u5382\u5546\u5df2\u53d1\u5e03\u5347\u7ea7\u8865\u4e01\u4ee5\u4fee\u590d\u6f0f\u6d1e\uff0c\u8865\u4e01\u83b7\u53d6\u94fe\u63a5\uff1a\r\nhttps://github.com/auth0/auth0.js/security/advisories/GHSA-prfq-f66g-43mp",
  "isEvent": "\u901a\u7528\u8f6f\u786c\u4ef6\u6f0f\u6d1e",
  "number": "CNVD-2020-22981",
  "openTime": "2020-04-15",
  "patchDescription": "auth0.js\u662f\u4e00\u6b3e\u7528\u4e8eAuth0 API\uff08\u5e94\u7528\u7a0b\u5e8f\u7f16\u7a0b\u63a5\u53e3\uff09\u7684\u5ba2\u6237\u7aefJavaScript\u5de5\u5177\u5305\u3002\r\n\r\nauth0.js (NPM package auth0-js) 8.0.0\u7248\u672c\u81f39.13.1\u7248\u672c\u4e2d\u5b58\u5728\u5b89\u5168\u6f0f\u6d1e\u3002\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u83b7\u53d6\u5bc6\u7801\u3002\u76ee\u524d\uff0c\u4f9b\u5e94\u5546\u53d1\u5e03\u4e86\u5b89\u5168\u516c\u544a\u53ca\u76f8\u5173\u8865\u4e01\u4fe1\u606f\uff0c\u4fee\u590d\u4e86\u6b64\u6f0f\u6d1e\u3002",
  "patchName": "auth0.js\u4fe1\u606f\u6cc4\u9732\u6f0f\u6d1e\u7684\u8865\u4e01",
  "products": {
    "product": "Auth0 auth0.js \u003e=8.0.0\uff0c\u003c=9.13.1"
  },
  "serverity": "\u4e2d",
  "submitTime": "2020-04-10",
  "title": "auth0.js\u4fe1\u606f\u6cc4\u9732\u6f0f\u6d1e"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2020-5263 (GCVE-0-2020-5263)

GSD-2020-5263

GHSA-PRFQ-F66G-43MP

Overview

Am I affected?

How to fix that?

Will this update impact my users?

FKIE_CVE-2020-5263

CNVD-2020-22981

Tags

Sightings

Nomenclature