CVE-2018-15121: Security Vulnerability in auth0-aspnet and auth0-aspnet-owin

Published: August 6, 2018

CVE number: CVE-2018-15121

Credit: Kévin Chalet

Overview

All versions of the auth0-aspnet and auth0-aspnet-owin packages have a security vulnerability that leave client applications vulnerable to a Cross-Site Request Forgery (CSRF) attack during authorization and authentication operations.

The root cause of this vulnerability is lack of use and verification of the state parameter in OAuth 2.0 and OpenID Connect (OIDC) protocols that allows an attacker to inject their authorization code into victim's session.

Am I affected?

If you use any version of auth0-aspnet or auth0-aspnet-owin, you are affected by this vulnerability.

How to fix that?

Further development of the auth0-aspnet and auth0-aspnet-owin packages has been discontinued. We strongly recommend moving to OWIN 4 and the official Microsoft.Owin.Security.OpenIdConnect package, which is not vulnerable.

If your application is not currently making use of OWIN, please refer to Microsoft's OWIN documentation to enable it in your application.

Will this update impact my users?

Current user states and sessions will be invalidated, as different libraries will handle authentication.