GHSA-5JPF-PJ32-XX53
Vulnerability from github – Published: 2020-07-29 16:26 – Updated: 2021-01-07 23:44
VLAI?
Summary
Authorization header is not sanitized in an error object in auth0
Details
Overview
Versions before and including 2.27.0 use a block list of specific keys that should be sanitized from the request object contained in the error object. When a request to Auth0 management API fails, the key for Authorization header is not sanitized and the Authorization header value can be logged exposing a bearer token.
Am I affected?
You are affected by this vulnerability if all of the following conditions apply:
- You are using
auth0npm package - You are using a Machine to Machine application authorized to use Auth0's management API https://auth0.com/docs/flows/concepts/client-credentials
How to fix that?
Upgrade to version 2.27.1
Will this update impact my users?
The fix provided in patch will not affect your users.
Credit
http://github.com/osdiab
Severity ?
7.7 (High)
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "auth0"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2.27.1"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2020-15125"
],
"database_specific": {
"cwe_ids": [
"CWE-209"
],
"github_reviewed": true,
"github_reviewed_at": "2020-07-29T16:25:59Z",
"nvd_published_at": null,
"severity": "HIGH"
},
"details": "### Overview\nVersions before and including `2.27.0` use a block list of specific keys that should be sanitized from the request object contained in the error object. When a request to Auth0 management API fails, the key for `Authorization` header is not sanitized and the `Authorization` header value can be logged exposing a bearer token.\n\n### Am I affected?\nYou are affected by this vulnerability if all of the following conditions apply:\n\n- You are using `auth0` npm package\n- You are using a Machine to Machine application authorized to use Auth0\u0027s management API https://auth0.com/docs/flows/concepts/client-credentials\n\n### How to fix that?\nUpgrade to version `2.27.1`\n\n### Will this update impact my users?\nThe fix provided in patch will not affect your users.\n\n### Credit\nhttp://github.com/osdiab",
"id": "GHSA-5jpf-pj32-xx53",
"modified": "2021-01-07T23:44:25Z",
"published": "2020-07-29T16:26:22Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/auth0/node-auth0/security/advisories/GHSA-5jpf-pj32-xx53"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-15125"
},
{
"type": "WEB",
"url": "https://github.com/auth0/node-auth0/pull/507"
},
{
"type": "WEB",
"url": "https://github.com/auth0/node-auth0/pull/507/commits/62ca61b3348ec8e74d7d00358661af1a8bc98a3c"
},
{
"type": "WEB",
"url": "https://github.com/auth0/node-auth0/tree/v2.27.1"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N",
"type": "CVSS_V3"
}
],
"summary": "Authorization header is not sanitized in an error object in auth0"
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…