CVE-2023-37260

2023-07-0616:15:10

CWE-209

[email protected]

web.nvd.nist.gov

2363

league

oauth2-server

oauth 2.0

authorization server

php

logicexception

fix

cve-2023-37260

nvd

8.2 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N

0.001 Low

EPSS

Percentile

37.5%

JSON

league/oauth2-server is an implementation of an OAuth 2.0 authorization server written in PHP. Starting in version 8.3.2 and prior to version 8.5.3, servers that passed their keys to the CryptKey constructor as as string instead of a file path will have had that key included in a LogicException message if they did not provide a valid pass phrase for the key where required. This issue has been patched so that the provided key is no longer exposed in the exception message in the scenario outlined above. Users should upgrade to version 8.5.3 to receive the patch. As a workaround, pass the key as a file instead of a string.

Affected configurations

Vulners

NVD

Node

thephpleagueoauth2-serverRange8.3.2–8.5.3

VendorProductVersionCPE
thephpleagueoauth2\-server*cpe:2.3:a:thephpleague:oauth2\-server:*:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
thephpleague	oauth2\-server	*	cpe:2.3:a:thephpleague:oauth2\-server::::::::

CNA Affected

[
  {
    "vendor": "thephpleague",
    "product": "oauth2-server",
    "versions": [
      {
        "version": ">= 8.3.2, < 8.5.3",
        "status": "affected"
      }
    ]
  }
]