Problem statement
At the moment, we are referring to auth0-deploy-cli version 5.5.1 within our custom Auth0 implementation to manage our applications across our Auth0 tenants. We recently performed a security scan on this custom implementation, and the following High-security vulnerabilities were identified.
- Command Injection in lodash | CVE-2021-23337 | Snyk
- Prototype Pollution in async | CVE-2021-43138 | Snyk
- Remote Code Execution (RCE) in pug | CVE-2021-21353 | Snyk
- Prototype Pollution in nconf | CVE-2022-21803 | Snyk
- Regular Expression Denial of Service (ReDoS) in ansi-regex | CVE-2021-3807 | Snyk
We were able to address vulnerabilities for lodash and async packages. However, with the remaining three vulnerabilities, the fix is by upgrading the auth0-deploy-cli version.
From auth0-deploy-cli/CHANGELOG.md at master · auth0/auth0-deploy-cli · GitHub , we do see that there were quite a few changes since 5.5.1 version.
We request you to kindly advise the best version to which we can upgrade our CLI version to address the reported vulnerabilities and, at the same time, NOT introduce any new functional conflicts within our existing custom Auth0 implementation.
Solution
In the Auth0 Deploy CLI version 5.5.1, the pug and ansi-regex libraries are not used, instead, only the nconf library with version ^0.8.4 is being used. The other vulnerable libraries should be dependencies of the libraries we use with the Auth0 Deploy CLI tool.
Since we are not aware of how you integrated the Auth0 Deploy CLI into your app and considering the need to execute a security scan tool like Synk, we recommend finding the version on your end. To do so, we recommend the following approach:
-
You can gradually increase the CLI dependency in your application and run the security scan tool to find the minimum version of
auth0-deploy-clithat will avoid the warnings. This step should be quick to complete if you have already integrated the scan tool with your application. -
Once you find the necessary minimum version of the
auth0-deploy-clilibrary, we recommend the following verification steps in a development tenant:
2.1. Run your application that usesauth0-deploy-clias a dependency with the existing old version.
2.2. Export the existing configuration of the tenant with the latest version of the standalone Auth0 Deploy CLI tool.
2.3. Update the tenant again with your application that uses theauth0-deploy-cliversion you found in step 1.
2.4. Use the same Auth0 Deploy CLI tool again to export the tenant settings. You can compare the first and second exports with a text/folder comparison tool like BeyondCompare to see if you notice any unexpected changes.
This approach would likely be one of the safest ways to validate and detect a compatibility issue caused by changes in auth0-deploy-cli. We will be more than happy to review if you notice any unexpected changes in step 2.4.