Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS13ajdxLWdqZzgtM2Nwbc4AA0Xq
league/oauth2-server key exposed in exception message when passing as a string and providing an invalid pass phrase
Impact
Servers that passed their keys to the CryptKey constructor as as string instead of a file path will have had that key included in a LogicException message if they did not provide a valid pass phrase for the key where required.
Patches
This issue has been patched so that the provided key is no longer exposed in the exception message in the scenario outlined above. Users should upgrade to version 8.5.3 or 8.4.2 to receive the patch.
Workarounds
We recommend upgrading the oauth2-server to one of the patched releases (8.5.3 or 8.4.2). If you are unable to upgrade you can avoid this security issue by passing your key as a file instead of a string.
References Permalink: https://github.com/advisories/GHSA-wj7q-gjg8-3cpm
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS13ajdxLWdqZzgtM2Nwbc4AA0Xq
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: 11 months ago
Updated: 7 months ago
CVSS Score: 8.2
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N
Identifiers: GHSA-wj7q-gjg8-3cpm, CVE-2023-37260
References:
- https://github.com/thephpleague/oauth2-server/security/advisories/GHSA-wj7q-gjg8-3cpm
- https://nvd.nist.gov/vuln/detail/CVE-2023-37260
- https://github.com/thephpleague/oauth2-server/pull/1353
- https://github.com/thephpleague/oauth2-server/releases/tag/8.5.3
- https://github.com/thephpleague/oauth2-server/pull/1359
- https://github.com/advisories/GHSA-wj7q-gjg8-3cpm
Blast Radius: 35.2
Affected Packages
packagist:league/oauth2-server
Dependent packages: 241Dependent repositories: 19,594
Downloads: 82,342,650 total
Affected Version Ranges: >= 8.5.0, < 8.5.3, >= 8.3.2, < 8.4.2
Fixed in: 8.5.3, 8.4.2
All affected versions: 8.3.2, 8.3.3, 8.3.4, 8.3.5, 8.3.6, 8.4.0, 8.4.1, 8.5.0, 8.5.1, 8.5.2
All unaffected versions: 0.2.1, 0.2.2, 0.2.3, 0.3.1, 0.3.2, 0.3.3, 0.3.4, 0.3.5, 0.4.1, 0.4.2, 1.0.0, 1.0.1, 1.0.2, 1.0.3, 1.0.4, 1.0.5, 1.0.6, 1.0.7, 1.0.8, 1.0.9, 2.0.2, 2.0.3, 2.0.4, 2.0.5, 2.1.1, 2.1.2, 2.1.3, 3.0.1, 3.1.1, 3.1.2, 3.2.1, 3.2.2, 3.2.3, 3.2.4, 4.0.0, 4.0.1, 4.0.2, 4.0.3, 4.0.4, 4.0.5, 4.1.0, 4.1.1, 4.1.2, 4.1.3, 4.1.4, 4.1.5, 4.1.6, 4.1.7, 5.0.0, 5.0.1, 5.0.2, 5.0.3, 5.1.0, 5.1.1, 5.1.2, 5.1.3, 5.1.4, 5.1.5, 5.1.6, 6.0.0, 6.0.1, 6.0.2, 6.1.0, 6.1.1, 7.0.0, 7.1.0, 7.1.1, 7.2.0, 7.3.0, 7.3.1, 7.3.2, 7.3.3, 7.4.0, 8.0.0, 8.1.0, 8.1.1, 8.2.0, 8.2.1, 8.2.2, 8.2.3, 8.2.4, 8.3.0, 8.3.1, 8.4.2, 8.5.3, 8.5.4