Vulnerabilities in the Auth0.OidcClient.Core assembly

[DejanNZ]

Checklist

• [X] I have looked into the Readme and the documentation, and have not found a suitable solution or answer.
• [X] I have looked into the API documentation and have not found a suitable solution or answer.
• [X] I have searched the issues and have not found a suitable solution or answer.
• [X] I have searched the Auth0 Community forums and have not found a suitable solution or answer.
• [X] I agree to the terms within the Auth0 Code of Conduct.

Description

We use the Auth0.OidcClient.WinForms NuGet package in our software.

Mend (WhiteSource) open source scans detected some transitive dependencies coming from the Auth0.OidcClient.Core assembly containing known medium vulnerabilities.

The affected packages are the last two in the list below:

Auth0.OidcClient.Core → Microsoft.IdentityModel.Protocols.OpenIdConnect (6.12.2) → System.IdentityModel.Tokens.Jwt (6.12.2) → Microsoft.IdentityModel.JsonWebTokens (6.12.2)

Reproduction

Do Mend (WhiteSource) open source vulnerability scan for binaries that reference Auth0.OidcClient.WinForms.

Additional context

No response

auth0-oidc-client-net version

3.2.8

.NET version

4.8

Platform

Windows

Platform version(s)

10

[frederikprijck]

This should be fixed here. Please try our latest version of the SDK.

[DejanNZ]

Thanks for the prompt response.

[DejanNZ]

We found that the latest version of the Auth0.Oidc.Client.WinForms (4.0.0) still references the vulnerable version of System.IdentityModel,Tokens.Jwt (6.12.2). When we can expect an updated WinForms client Nuget? Thanks

[frederikprijck]

Sorry about that. The fix in Auth0.OidcClient.Core is released as 4.0.1, it looks like installing the latest Auth0.OidcClient.WinForms (which is 4.0.0), still installs Auth0.OidcClient.Core 4.0.0.

Can you try updating (probably explicitly installing) Auth0.OidcClient.Core to 4.0.1 and see if it helps?

[DejanNZ]

That will work for now. Thanks