CVE-2020-15125
Sanitization vulnerability in auth0 (npm)
What is CVE-2020-15125 About?
This vulnerability involves insufficient sanitization of the Authorization header in Auth0 management API errors, leading to exposure of bearer tokens in logs. This can result in unauthorized access to sensitive data or actions, and it is relatively easy to exploit by triggering an API error. The vulnerability stems from an incomplete blocklist that fails to redact sensitive information.
Affected Software
Technical Details
The vulnerability exists in versions of the auth0 npm package up to and including 2.27.0. When a request to the Auth0 management API fails, an error object is generated that includes details of the request. The system uses a blocklist to sanitize specific keys from this request object before logging. However, the key for the Authorization header, which contains a bearer token, is not included in this blocklist. Consequently, if a Machine to Machine application authorized to use Auth0's management API makes a failing request, the full Authorization header value, including the bearer token, will be logged in cleartext, exposing it to anyone with access to the logs. An attacker can trigger error conditions to facilitate the logging of these tokens.
What is the Impact of CVE-2020-15125?
Successful exploitation may allow attackers to gain unauthorized access to Auth0 management API resources by obtaining exposed bearer tokens, leading to potential data breaches, unauthorized modifications, or denial of service.
What is the Exploitability of CVE-2020-15125?
Exploitation complexity is considered low, primarily requiring an application using the vulnerable auth0 npm package with the Auth0 management API. No specific authentication to the vulnerable application is needed beyond what is required to make a request to the Auth0 management API, which would then fail and trigger the logging. The attacker might need local or remote access to the logs where the bearer tokens are written. The primary prerequisite is the presence of the vulnerable software version and operations that can trigger API errors. The likelihood of exploitation increases if logs are not properly secured or are accessible to unauthorized individuals.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2020-15125?
Available Upgrade Options
- auth0
- <2.27.1 → Upgrade to 2.27.1
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://osv.dev/vulnerability/GHSA-5jpf-pj32-xx53
- https://nvd.nist.gov/vuln/detail/CVE-2020-15125
- https://github.com/auth0/node-auth0/tree/v2.27.1
- https://github.com/auth0/node-auth0/pull/507/commits/62ca61b3348ec8e74d7d00358661af1a8bc98a3c
- https://github.com/auth0/node-auth0/pull/507
- https://github.com/auth0/node-auth0/security/advisories/GHSA-5jpf-pj32-xx53
What are Similar Vulnerabilities to CVE-2020-15125?
Similar Vulnerabilities: CVE-2018-XXXXX , CVE-2019-XXXXX , CVE-2021-XXXXX , CVE-2022-XXXXX , CVE-2023-XXXXX
