Auth0 Security Bulletin CVE-2019-7644
Published: February 15, 2019
CVE number: CVE-2019-7644
Credit: Conny Dahlgren, Security Researcher at DevilSec AB
All versions of Auth0-WCF-Service-JWT NuGet package lower than 1.0.4 include sensitive information about the expected JWT signature in an error message emitted when JWT signature validation fails:
Invalid signature. Expected 8Qh5lJ5gSaQylkSdaCIDBoOqKzhoJ0Nutkkap8RgB1Y= got 8Qh5lJ5gSaQylkSdaCIDBoOqKzhoJ0Nutkkap8RgBOo=
This vulnerability allows attackers to use this error message to obtain a valid signature for arbitrary JWT tokens. This way attackers can forge tokens to bypass authentication and authorization mechanisms.
Am I affected?
You are affected by this vulnerability if the following conditions apply:
- You use a version of Auth0-WCF-Service-JWT NuGet package lower than 1.0.4
- You show signature verification exception message in the user interface or make it otherwise available to the attacker (for example through logs or diagnostic messages)
How to fix that?
Developers using the Auth0-WCF-Service-JWT library need to upgrade to the latest version 1.0.4.
The updated package is available on NuGet:
Install-Package Auth0-WCF-Service-JWT -Version 1.0.4
Will this update impact my users?
No. This fix patches the library that your application runs, but will not impact your users, their current state, or any existing sessions.