Ecosyste.ms: Advisories

Security Advisories: GSA_kwCzR0hTQS13ajdxLWdqZzgtM2Nwbc4AA0Xq

league/oauth2-server key exposed in exception message when passing as a string and providing an invalid pass phrase

Impact

Servers that passed their keys to the CryptKey constructor as as string instead of a file path will have had that key included in a LogicException message if they did not provide a valid pass phrase for the key where required.

Patches

This issue has been patched so that the provided key is no longer exposed in the exception message in the scenario outlined above. Users should upgrade to version 8.5.3 or 8.4.2 to receive the patch.

Workarounds

We recommend upgrading the oauth2-server to one of the patched releases (8.5.3 or 8.4.2). If you are unable to upgrade you can avoid this security issue by passing your key as a file instead of a string.

References

• Fix for 8.4.x
• Fix for 8.5.x

Permalink: https://github.com/advisories/GHSA-wj7q-gjg8-3cpm
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS13ajdxLWdqZzgtM2Nwbc4AA0Xq
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: 11 months ago
Updated: 7 months ago

CVSS Score: 8.2
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N

Identifiers: GHSA-wj7q-gjg8-3cpm, CVE-2023-37260
References:

• https://github.com/thephpleague/oauth2-server/security/advisories/GHSA-wj7q-gjg8-3cpm
• https://nvd.nist.gov/vuln/detail/CVE-2023-37260
• https://github.com/thephpleague/oauth2-server/pull/1353
• https://github.com/thephpleague/oauth2-server/releases/tag/8.5.3
• https://github.com/thephpleague/oauth2-server/pull/1359
• https://github.com/advisories/GHSA-wj7q-gjg8-3cpm

Repository: https://github.com/thephpleague/oauth2-server
Blast Radius: 35.2

Affected Packages