Auth0 Security Bulletin CVE 2018-15121
Published: August 6, 2018
CVE number: CVE 2018-15121
Credit: Kévin Chalet
All versions of the auth0-aspnet and auth0-aspnet-owin packages have a security vulnerability that leave client applications vulnerable to a Cross-Site Request Forgery (CSRF) attack during authorization and authentication operations.
The root cause of this vulnerability is lack of use and verification of the
state parameter in OAuth 2.0 and OpenID Connect protocols that allows an attacker to inject their authorization code into victim's session.
Am I affected?
If you use any version of
auth0-aspnet-owin, you are affected by this vulnerability.
How to fix that?
Further development of the auth0-aspnet and auth0-aspnet-owin packages has been discontinued. We strongly recommend moving to OWIN 4 and the official
Microsoft.Owin.Security.OpenIdConnect package, which is not vulnerable.
See the migration guide for more details.
If your application is not currently making use of OWIN, please refer to Microsoft's OWIN documentation to enable it in your application.
Will this update impact my users?
Current user states and sessions will be invalidated, as different libraries will handle authentication.