CVE-2019-7644: Security Vulnerability in Auth0-WCF-Service-JWT

Published: February 15, 2019

CVE number: CVE-2019-7644

Credit: Conny Dahlgren, Security Researcher at DevilSec AB

All versions of Auth0-WCF-Service-JWT NuGet package lower than 1.0.4 include sensitive information about the expected JWT signature in an error message emitted when JWT signature validation fails:

Invalid signature. Expected 8Qh5lJ5gSaQylkSdaCIDBoOqKzhoJ0Nutkkap8RgB1Y= got 8Qh5lJ5gSaQylkSdaCIDBoOqKzhoJ0Nutkkap8RgBOo=

This vulnerability allows attackers to use this error message to obtain a valid signature for arbitrary JWT tokens. This way attackers can forge tokens to bypass authentication and authorization mechanisms.

You are affected by this vulnerability if the following conditions apply:

• You use a version of Auth0-WCF-Service-JWT NuGet package lower than 1.0.4

• You show signature verification exception message in the user interface or make it otherwise available to the attacker (for example through logs or diagnostic messages)

Developers using the Auth0-WCF-Service-JWT library need to upgrade to the latest version 1.0.4.

The updated package is available on NuGet: Install-Package Auth0-WCF-Service-JWT -Version 1.0.4

No. This fix patches the library that your application runs, but will not impact your users, their current state, or any existing sessions.