CVE-2019-7644: Security Vulnerability in Auth0-WCF-Service-JWT

Published: February 15, 2019

CVE number: CVE-2019-7644

Credit: Conny Dahlgren, Security Researcher at DevilSec AB

Overview

All versions of Auth0-WCF-Service-JWT NuGet package lower than 1.0.4 include sensitive information about the expected JWT signature in an error message emitted when JWT signature validation fails:

Invalid signature. Expected 8Qh5lJ5gSaQylkSdaCIDBoOqKzhoJ0Nutkkap8RgB1Y= got 8Qh5lJ5gSaQylkSdaCIDBoOqKzhoJ0Nutkkap8RgBOo=

This vulnerability allows attackers to use this error message to obtain a valid signature for arbitrary JWT tokens. This way attackers can forge tokens to bypass authentication and authorization mechanisms.

Am I affected?

You are affected by this vulnerability if the following conditions apply:

  • You use a version of Auth0-WCF-Service-JWT NuGet package lower than 1.0.4

  • You show signature verification exception message in the user interface or make it otherwise available to the attacker (for example through logs or diagnostic messages)

How to fix that?

Developers using the Auth0-WCF-Service-JWT library need to upgrade to the latest version 1.0.4.

The updated package is available on NuGet: Install-Package Auth0-WCF-Service-JWT -Version 1.0.4

Will this update impact my users?

No. This fix patches the library that your application runs, but will not impact your users, their current state, or any existing sessions.