CVE Vulnerability

CVE-2020-15125

In auth0 (npm package) versions before 2.27.1, a DenyList of specific keys that should be sanitized from the request object contained in the error object is used. The key for Authorization header is not sanitized and in certain cases the Authorization header value can be logged exposing a bearer token. You are affected by this vulnerability if you are using the auth0 npm package, and you are using a Machine to Machine application authorized to use Auth0's management API

4 /10

CVSS v2.0 :

V3 Legend

Vector :

Exploitability : 8 / Impact : 2.9

Attack Vector

Attack Complexity

Privileges Required

User Interaction

Confidentiality Impact PARTIAL

Integrity Impact NONE

Availability Impact NONE

Scope

7.7 /10

CVSS v3.0 : HIGH

V3 Legend

Vector :

Exploitability : 3.1 / Impact : 4

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact NONE

Availability Impact NONE

Scope CHANGED

References
Link Resource
https://github.com/auth0/node-auth0/tree/v2.27.1 Release Notes Third Party Advisory
https://github.com/auth0/node-auth0/security/advisories/GHSA-5jpf-pj32-xx53 Third Party Advisory
https://github.com/auth0/node-auth0/pull/507/commits/62ca61b3348ec8e74d7d00358661af1a8bc98a3c Patch Third Party Advisory
https://github.com/auth0/node-auth0/pull/507 Patch Third Party Advisory
Configurations

Configuration 1

cpe:2.3:a:auth0:auth0.js:*:*:*:*:*:*:*:*
Information

Published : 2020-07-29 05:15

Updated : 2021-04-28 05:08

NVD link : CVE-2020-15125

Mitre link : CVE-2020-15125

Products Affected
No products.
CWE
CWE-209