CVE-2019-7644: Generation of Error Message Containing Sensitive Information

April 11, 2019 (updated August 24, 2020)

Auth0 Auth0-WCF-Service-JWT leaks the expected JWT signature in an error message when it cannot successfully validate the JWT signature. If this error message is presented to an attacker, they can forge an arbitrary JWT token that will be accepted by the vulnerable application.

References

auth0.com/docs/security/bulletins/cve-2019-7644
nvd.nist.gov/vuln/detail/CVE-2019-7644

Code Behaviors & Features

Detect and mitigate CVE-2019-7644 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →