CVE-2019-16929: Security Vulnerability in auth0.net
Published: 10/03/2019
CVE number: CVE-2019-16929
Credit: Dennis Detering (Spike Reply GmbH)
Overview
Versions of auth0.net and associated NuGet Package Auth0.AuthenticationAPI from 5.8.0
to 6.5.3
inclusive include a class named IdentityTokenValidator
with a public ValidateAsync
method, that performs limited validation suitable only for auth0 issued tokens.
Am I affected?
You are affected by this vulnerability if all of the following conditions apply:
You are using the
IdentityTokenValidator
to validate untrusted ID tokensYou are using a version of Auth0.AuthenticationAPI between
5.8.0
and6.5.3
inclusive
How to fix that?
Developers should not use the IdentityTokenValidator
class to validate untrusted ID tokens. See Validate ID Tokens for our recommendations for validating ID tokens. https://jwt.io/ is a good resource on open source JWT validation libraries and their capabilities. Note that additional logic may be required based upon your use case.
Developers using the auth0.net and associated NuGet Package Auth0.AuthenticationAPI between 5.8.0
and 6.5.3
inclusive should upgrade to the latest version 6.5.4
to prevent accidental usage of the IdentityTokenValidator
class.
Will this update impact my users?
No. This fix patches the client library that your application runs, but will not impact your users, their current state, or any existing sessions.