Overview
Versions before and including 2.27.0 use a block list of specific keys that should be sanitized from the request object contained in the error object. When a request to Auth0 management API fails, the key for Authorization header is not sanitized and the Authorization header value can be logged exposing a bearer token.
Am I affected?
You are affected by this vulnerability if all of the following conditions apply:
How to fix that?
Upgrade to version 2.27.1
Will this update impact my users?
The fix provided in patch will not affect your users.
Credit
http://github.com/osdiab
References
osdiab Analyst
Overview
Versions before and including
2.27.0use a block list of specific keys that should be sanitized from the request object contained in the error object. When a request to Auth0 management API fails, the key forAuthorizationheader is not sanitized and theAuthorizationheader value can be logged exposing a bearer token.Am I affected?
You are affected by this vulnerability if all of the following conditions apply:
auth0npm packageHow to fix that?
Upgrade to version
2.27.1Will this update impact my users?
The fix provided in patch will not affect your users.
Credit
http://github.com/osdiab
References