7.7

CVSS Score

3.1

Basic Information

CVE ID

CVE-2020-15125

GHSA ID

GHSA-5jpf-pj32-xx53

EPSS Score

0.53532%

CWE

CWE-209

Published

7/29/2020

Updated

1/9/2023

KEV Status

Technology

JavaScript

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2020-15125

CVE-2020-15125: Authorization header is not sanitized in an error object in auth0

Overview

Versions before and including 2.27.0 use a block list of specific keys that should be sanitized from the request object contained in the error object. When a request to Auth0 management API fails, the key for Authorization header is not sanitized and the Authorization header value can be logged exposing a bearer token.

Am I affected?

You are affected by this vulnerability if all of the following conditions apply:

You are using auth0 npm package
You are using a Machine to Machine application authorized to use Auth0's management API https://auth0.com/docs/flows/concepts/client-credentials

How to fix that?

Upgrade to version 2.27.1

Will this update impact my users?

The fix provided in patch will not affect your users.

Credit

http://github.com/osdiab

(GitHub Advisory)

7.7

CVSS Score

3.1

Basic Information

CVE ID

CVE-2020-15125

GHSA ID

GHSA-5jpf-pj32-xx53

EPSS Score

0.53532%

CWE

CWE-209

Published

7/29/2020

Updated

1/9/2023

KEV Status

Technology

JavaScript

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
auth0	npm	< 2.27.1	2.27.1

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stemmed from incomplete key sanitization in error handling. The commit diff shows:

The regex pattern in sanitizeErrors() was expanded from 'password|secret' to 'password|secret|authorization'
sanitizeErrorRequestData() was modified to process both _data and _header properties
Tests were added specifically for authorization header sanitization These functions were vulnerable because they used a blocklist approach that omitted authorization headers prior to v2.27.1, violating CWE-209 by exposing credentials in error messages.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

### Ov*rvi*w V*rsions ***or* *n* in*lu*in* `*.**.*` us* * *lo*k list o* sp**i*i* k*ys t**t s*oul* ** s*nitiz** *rom t** r*qu*st o*j**t *ont*in** in t** *rror o*j**t. W**n * r*qu*st to *ut** m*n***m*nt *PI **ils, t** k*y *or `*ut*oriz*tion` *****r is

Reasoning

T** vuln*r**ility st*mm** *rom in*ompl*t* k*y s*nitiz*tion in *rror **n*lin*. T** *ommit *i** s*ows: *. T** r***x p*tt*rn in s*nitiz**rrors() w*s *xp*n*** *rom 'p*sswor*|s**r*t' to 'p*sswor*|s**r*t|*ut*oriz*tion' *. s*nitiz**rrorR*qu*st**t*() w*s mo*

7.7

Basic Information

Concerned about an active attack path?

CVE-2020-15125: Authorization header is not sanitized in an error object in auth0

Overview

Am I affected?

How to fix that?

Will this update impact my users?

Credit

7.7

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI