CVE-2018-15121: Security Vulnerability in auth0-aspnet and auth0-aspnet-owin
Published: August 6, 2018
CVE number: CVE-2018-15121
Credit: Kévin Chalet
Overview
All versions of the auth0-aspnet and auth0-aspnet-owin packages have a security vulnerability that leave client applications vulnerable to a Cross-Site Request Forgery (CSRF) attack during authorization and authentication operations.
The root cause of this vulnerability is lack of use and verification of the state
parameter in OAuth 2.0 and OpenID Connect (OIDC) protocols that allows an attacker to inject their authorization code into victim's session.
Am I affected?
If you use any version of auth0-aspnet
or auth0-aspnet-owin
, you are affected by this vulnerability.
How to fix that?
Further development of the auth0-aspnet and auth0-aspnet-owin packages has been discontinued. We strongly recommend moving to OWIN 4 and the official Microsoft.Owin.Security.OpenIdConnect
package, which is not vulnerable.
See the migration guide for more details.
If your application is not currently making use of OWIN, please refer to Microsoft's OWIN documentation to enable it in your application.
Will this update impact my users?
Current user states and sessions will be invalidated, as different libraries will handle authentication.