Severity: low

Information Exposure

auth0

Overview

Versions of auth0 before 2.27.1 use a block list of specific keys that should be sanitized from the request object contained in the error object. When a request to Auth0 management API fails, the key for Authorization header is not sanitized and the Authorization header value can be logged exposing a bearer token.

You are affected by this vulnerability if all of the following conditions apply:

Remediation

Upgrade to version 2.27.1.

Resources

Have content suggestions? Send them to [email protected]

Advisory timeline

  1. published

    Advisory Published
    Jul 29th, 2020
  2. reported

    Reported by Omar Diab
    Jul 29th, 2020