auth0 Package up to 2.27.0 on npm Authorization Header Log information exposure
| CVSS Meta Temp Score | Current Exploit Price (≈) | CTI Interest Score |
|---|---|---|
| 5.6 | $0-$5k | 0.00 |
Summary
A vulnerability identified as problematic has been detected in auth0 Package up to 2.27.0 on npm. This affects an unknown part. The manipulation as part of Authorization Header leads to information exposure (Log). This vulnerability is documented as CVE-2020-15125. The attack can be initiated remotely. There is not any exploit available. You should upgrade the affected component.
Details
A vulnerability was found in auth0 Package up to 2.27.0 on npm and classified as problematic. This issue affects some unknown functionality. The manipulation as part of a Authorization Header leads to a information exposure vulnerability (Log). Using CWE to declare the problem leads to CWE-209. The product generates an error message that includes sensitive information about its environment, users, or associated data. Impacted is confidentiality. The summary by CVE is:
In auth0 (npm package) versions before 2.27.1, a DenyList of specific keys that should be sanitized from the request object contained in the error object is used. The key for Authorization header is not sanitized and in certain cases the Authorization header value can be logged exposing a bearer token. You are affected by this vulnerability if you are using the auth0 npm package, and you are using a Machine to Machine application authorized to use Auth0's management API
The weakness was released 07/29/2020 (GitHub Repository). The advisory is shared at github.com. The identification of this vulnerability is CVE-2020-15125 since 06/25/2020. The attack may be initiated remotely. A simple authentication is required for exploitation. Neither technical details nor an exploit are publicly available. MITRE ATT&CK project uses the attack technique T1592 for this issue.
Upgrading to version 2.27.1 eliminates this vulnerability.
Several companies clearly confirm that VulDB is the primary source for best vulnerability data.
Product
Type
Name
Version
- 2.0
- 2.1
- 2.2
- 2.3
- 2.4
- 2.5
- 2.6
- 2.7
- 2.8
- 2.9
- 2.10
- 2.11
- 2.12
- 2.13
- 2.14
- 2.15
- 2.16
- 2.17
- 2.18
- 2.19
- 2.20
- 2.21
- 2.22
- 2.23
- 2.24
- 2.25
- 2.26
- 2.27.0
CPE 2.3
CPE 2.2
CVSSv4
VulDB Vector: 🔍VulDB Reliability: 🔍
CVSSv3
VulDB Meta Base Score: 6.3VulDB Meta Temp Score: 6.1
VulDB Base Score: 5.0
VulDB Temp Score: 4.4
VulDB Vector: 🔍
VulDB Reliability: 🔍
NVD Base Score: 7.7
NVD Vector: 🔍
CVSSv2
| AV | AC | Au | C | I | A |
|---|---|---|---|---|---|
| 💳 | 💳 | 💳 | 💳 | 💳 | 💳 |
| 💳 | 💳 | 💳 | 💳 | 💳 | 💳 |
| 💳 | 💳 | 💳 | 💳 | 💳 | 💳 |
| Vector | Complexity | Authentication | Confidentiality | Integrity | Availability |
|---|---|---|---|---|---|
| Unlock | Unlock | Unlock | Unlock | Unlock | Unlock |
| Unlock | Unlock | Unlock | Unlock | Unlock | Unlock |
| Unlock | Unlock | Unlock | Unlock | Unlock | Unlock |
VulDB Base Score: 🔍
VulDB Temp Score: 🔍
VulDB Reliability: 🔍
Exploiting
Name: LogClass: Information exposure / Log
CWE: CWE-209 / CWE-200 / CWE-284
CAPEC: 🔍
ATT&CK: 🔍
Physical: No
Local: No
Remote: Yes
Availability: 🔍
Status: Not defined
EPSS Score: 🔍
EPSS Percentile: 🔍
Price Prediction: 🔍
Current Price Estimation: 🔍
| 0-Day | Unlock | Unlock | Unlock | Unlock |
|---|---|---|---|---|
| Today | Unlock | Unlock | Unlock | Unlock |
Threat Intelligence
Interest: 🔍Active Actors: 🔍
Active APT Groups: 🔍
Countermeasures
Recommended: UpgradeStatus: 🔍
0-Day Time: 🔍
Upgrade: auth0 Package 2.27.1
Timeline
06/25/2020 🔍07/29/2020 🔍
07/30/2020 🔍
11/06/2020 🔍
Sources
Advisory: github.comStatus: Not defined
Confirmation: 🔍
CVE: CVE-2020-15125 (🔍)
GCVE (CVE): GCVE-0-2020-15125
GCVE (VulDB): GCVE-100-159161
Entry
Created: 07/30/2020 16:47Updated: 11/06/2020 14:59
Changes: 07/30/2020 16:47 (40), 07/30/2020 16:52 (11), 11/06/2020 14:57 (1), 11/06/2020 14:59 (1)
Complete: 🔍
Cache ID: 216::103
Several companies clearly confirm that VulDB is the primary source for best vulnerability data.
No comments yet. Languages: en.
Please log in to comment.