CVE-2023-37260

Published: Jul 6, 2023Modified: Nov 21, 2024

7.5

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Exploitability: 3.9 / Impact: 3.6

Source: NVD

Description

league/oauth2-server is an implementation of an OAuth 2.0 authorization server written in PHP. Starting in version 8.3.2 and prior to version 8.5.3, servers that passed their keys to the CryptKey constructor as as string instead of a file path will have had that key included in a LogicException message if they did not provide a valid pass phrase for the key where required. This issue has been patched so that the provided key is no longer exposed in the exception message in the scenario outlined above. Users should upgrade to version 8.5.3 to receive the patch. As a workaround, pass the key as a file instead of a string.

Affected (1)

Products: Thephpleague: Oauth2 Server

1 product

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Thephpleague Oauth2 Server	From 8.3.2 to 8.5.3

Related CWEs

Generation of Error Message Containing Sensitive Information

The product generates an error message that includes sensitive information about its environment, users, or associated data.

References (6)

https://github.com/thephpleague/oauth2-server/pull/1353

Source: security-advisories@github.com

Patch

https://github.com/thephpleague/oauth2-server/releases/tag/8.5.3

Source: security-advisories@github.com

Release Notes

https://github.com/thephpleague/oauth2-server/security/advisories/GHSA-wj7q-gjg8-3cpm

Source: security-advisories@github.com

Vendor Advisory

https://github.com/thephpleague/oauth2-server/pull/1353

Source: af854a3a-2127-422b-91ae-364da2661108

Patch

https://github.com/thephpleague/oauth2-server/releases/tag/8.5.3

Source: af854a3a-2127-422b-91ae-364da2661108

Release Notes

https://github.com/thephpleague/oauth2-server/security/advisories/GHSA-wj7q-gjg8-3cpm

Source: af854a3a-2127-422b-91ae-364da2661108

Vendor Advisory

Timeline

No history available yet.