Vulnerability Description
In auth0 (npm package) versions before 2.27.1, a DenyList of specific keys that should be sanitized from the request object contained in the error object is used. The key for Authorization header is not sanitized and in certain cases the Authorization header value can be logged exposing a bearer token. You are affected by this vulnerability if you are using the auth0 npm package, and you are using a Machine to Machine application authorized to use Auth0's management API
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Auth0 | Auth0.Js | < 2.27.1 |
Related Weaknesses (CWE)
References
- https://github.com/auth0/node-auth0/pull/507PatchThird Party Advisory
- https://github.com/auth0/node-auth0/pull/507/commits/62ca61b3348ec8e74d7d0035866PatchThird Party Advisory
- https://github.com/auth0/node-auth0/security/advisories/GHSA-5jpf-pj32-xx53Third Party Advisory
- https://github.com/auth0/node-auth0/tree/v2.27.1Release NotesThird Party Advisory
- https://github.com/auth0/node-auth0/pull/507PatchThird Party Advisory
- https://github.com/auth0/node-auth0/pull/507/commits/62ca61b3348ec8e74d7d0035866PatchThird Party Advisory
- https://github.com/auth0/node-auth0/security/advisories/GHSA-5jpf-pj32-xx53Third Party Advisory
- https://github.com/auth0/node-auth0/tree/v2.27.1Release NotesThird Party Advisory
FAQ
What is CVE-2020-15125?
CVE-2020-15125 is a vulnerability with a CVSS score of 7.7 (HIGH). In auth0 (npm package) versions before 2.27.1, a DenyList of specific keys that should be sanitized from the request object contained in the error object is used. The key for Authorization header is n...
How severe is CVE-2020-15125?
CVE-2020-15125 has been rated HIGH with a CVSS base score of 7.7/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2020-15125?
Check the references section above for vendor advisories and patch information. Affected products include: Auth0 Auth0.Js.