Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS13OHZoLXA3NGoteDl4cM4AA34Q
yii2-authclient vulnerable to possible timing attack on string comparison in OAuth1, OAuth2 and OpenID Connect implementation
Impact
What kind of vulnerability is it? Who is impacted?
Original Report:
The Oauth1/2 "state" and OpenID Connect "nonce" is vulnerable for a "timing attack" since it's compared via regular string
comparison (instead ofYii::$app->getSecurity()->compareString()).
Affected Code:
-
OAuth 1 "state"
-
OAuth 2 "state"
-
OpenID Connect "nonce"
Patches
Has the problem been patched? What versions should users upgrade to?
TBD: Replace strcmp with Yii::$app->getSecurity()->compareString()).
Workarounds
Is there a way for users to fix or remediate the vulnerability without upgrading?
not as far as I see.
References
Are there any links users can visit to find out more?
Permalink: https://github.com/advisories/GHSA-w8vh-p74j-x9xpJSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS13OHZoLXA3NGoteDl4cM4AA34Q
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Low
Classification: General
Published: 11 months ago
Updated: 11 months ago
Identifiers: GHSA-w8vh-p74j-x9xp, CVE-2023-50708
References:
- https://github.com/yiisoft/yii2-authclient/security/advisories/GHSA-w8vh-p74j-x9xp
- https://github.com/yiisoft/yii2-authclient/commit/dabddf2154ab7e7703740205a069202554089248
- https://github.com/yiisoft/yii2-authclient/blob/0d1c3880f4d79e20aa1d77c012650b54e69695ff/src/OAuth1.php#L158
- https://github.com/yiisoft/yii2-authclient/blob/0d1c3880f4d79e20aa1d77c012650b54e69695ff/src/OAuth2.php#L121
- https://github.com/yiisoft/yii2-authclient/blob/0d1c3880f4d79e20aa1d77c012650b54e69695ff/src/OpenIdConnect.php#L420
- https://nvd.nist.gov/vuln/detail/CVE-2023-50708
- https://github.com/advisories/GHSA-w8vh-p74j-x9xp
Blast Radius: 0.0
Affected Packages
packagist:yiisoft/yii2-authclient
Dependent packages: 196Dependent repositories: 1,361
Downloads: 5,063,494 total
Affected Version Ranges: <= 2.2.14
Fixed in: 2.2.15
All affected versions: 2.0.0, 2.0.1, 2.0.2, 2.0.3, 2.0.4, 2.0.5, 2.0.6, 2.1.0, 2.1.1, 2.1.2, 2.1.3, 2.1.4, 2.1.5, 2.1.6, 2.1.7, 2.1.8, 2.2.0, 2.2.1, 2.2.2, 2.2.3, 2.2.4, 2.2.5, 2.2.6, 2.2.7, 2.2.8, 2.2.9, 2.2.10, 2.2.11, 2.2.12, 2.2.13, 2.2.14
All unaffected versions: 2.2.15, 2.2.16