CVE-2019-16929: Security Vulnerability in auth0.net

Published: 10/03/2019

CVE number: CVE-2019-16929

Credit: Dennis Detering (Spike Reply GmbH)

Overview

Versions of auth0.net and associated NuGet Package Auth0.AuthenticationAPI from 5.8.0 to 6.5.3 inclusive include a class named IdentityTokenValidator with a public ValidateAsync method, that performs limited validation suitable only for auth0 issued tokens.

Am I affected?

You are affected by this vulnerability if all of the following conditions apply:

  • You are using the IdentityTokenValidator to validate untrusted ID tokens

  • You are using a version of Auth0.AuthenticationAPI between 5.8.0 and 6.5.3 inclusive

How to fix that?

Developers should not use the IdentityTokenValidator class to validate untrusted ID tokens. See Validate ID Tokens for our recommendations for validating ID tokens. https://jwt.io/ is a good resource on open source JWT validation libraries and their capabilities. Note that additional logic may be required based upon your use case.

Developers using the auth0.net and associated NuGet Package Auth0.AuthenticationAPI between 5.8.0 and 6.5.3 inclusive should upgrade to the latest version 6.5.4 to prevent accidental usage of the IdentityTokenValidator class.

Will this update impact my users?

No. This fix patches the client library that your application runs, but will not impact your users, their current state, or any existing sessions.