A critical vulnerability was discovered in React Server Components (Next.js). Our systems remain protected but we advise to update packages to newest version. Learn More.
AI OnAI Off
This thread is locked and should be used for reference only.
Currently, active bearer tokens are exposed at the "INFO" log level by the IdentityAuthorizationServerProvider class, ie;
_log.Information($"Authentication Request: {GetRequestInfo(context)}");
This allows any malicious user with read-access to logs to assume the identity of any currently active user, including administrative users.
To prevent session hijacking raw session tokens should not be exposed (ref OWASP: http://owasp-aasvs.readthedocs.io/en/latest/requirement-3.6.html)
If session based troubleshooting\diagnostics is required, a common approach is to one-way hash (eg MD5) the session token before recording it.