CVE-2020-15125
Authorization header is not sanitized in an error object in auth0
Description
### Overview Versions before and including `2.27.0` use a block list of specific keys that should be sanitized from the request object contained in the error object. When a request to Auth0 management API fails, the key for `Authorization` header is not sanitized and the `Authorization` header value can be logged exposing a bearer token. ### Am I affected? You are affected by this vulnerability if all of the following conditions apply: - You are using `auth0` npm package - You are using a Machine to Machine application authorized to use Auth0's management API https://auth0.com/docs/flows/concepts/client-credentials ### How to fix that? Upgrade to version `2.27.1` ### Will this update impact my users? The fix provided in patch will not affect your users. ### Credit http://github.com/osdiab
How to fix CVE-2020-15125
To remediate CVE-2020-15125, upgrade the affected package to a fixed version below.
- —upgrade to 2.27.1 or later
Is CVE-2020-15125 being exploited?
Low — EPSS is 0.3%, meaning exploitation activity has not been observed at scale.
Affected packages (1)
- from 0, < 2.27.1
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | HIGH7.7 | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N |