Auth0 Security Bulletin CVE 2018-11537

Published: June 5, 2018

CVE number: CVE 2018-11537

Credit: Stephan Hauser

Overview

The domain whitelisting feature can be bypassed. For example, if the setting is initialized with

jwtInterceptorProvider.whiteListedDomains = ['whitelisted.Example.com'];

An attacker can set up a domain whitelistedXexample.com that will pass the whitelist filter. The root cause for this is that angular-jwt always treats whiteListedDomains entries as regular expressions and causes . separator to match any character.

Am I affected?

If the following apply you are affected by this vulnerability:

  • You use a version of angular-jwt lower than 0.1.10
  • You use domain whitelisting in your code

How to fix that?

Developers using the angular-jwt library need to upgrade to the latest version: 0.1.10.

Updated package is available on NPM:

$ npm install angular-jwt@0.1.10

To make it easier to keep up with security updates in the future, please make sure your package.json file is updated to take patch and minor level updates of our libraries:

{
  "dependencies": {
    "angular-jwt": "^0.1.10"
  }
}

Will this update impact my users?

No. This fix patches the library that your application runs, but will not impact your users, their current state, or any existing sessions.