yii2-authclient vulnerable to possible timing attack on string comparison in OAuth1, OAuth2 and OpenID Connect implementation

🗓️ 18 Dec 2023 20:01:00Reported by GitHub Advisory DatabaseType

Yii2-authClient timing attack in OAuth1, OAuth2, OpenID Connect

Reporter	Title	Published	Views	Family All 11
Circl	CVE-2023-50708	22 Dec 202320:24	–	circl
CNNVD	yii2 security vulnerabilities	22 Dec 202300:00	–	cnnvd
CVE	CVE-2023-50708	22 Dec 202318:25	–	cve
Cvelist	CVE-2023-50708 yii2-authclient vulnerable to possible timing attack on string comparison in OAuth1, OAuth2 and OpenID Connect implementation	22 Dec 202318:25	–	cvelist
EUVD	EUVD-2023-3310	3 Oct 202520:07	–	euvd
NVD	CVE-2023-50708	22 Dec 202319:15	–	nvd
OSV	CVE-2023-50708 yii2-authclient vulnerable to possible timing attack on string comparison in OAuth1, OAuth2 and OpenID Connect implementation	22 Dec 202318:25	–	osv
OSV	GHSA-W8VH-P74J-X9XP yii2-authclient vulnerable to possible timing attack on string comparison in OAuth1, OAuth2 and OpenID Connect implementation	18 Dec 202320:01	–	osv
Prion	Buffer overflow	22 Dec 202319:15	–	prion
Positive Technologies	PT-2023-31614 · Unknown · Yii2-Authclient	18 Dec 202300:00	–	ptsecurity

Vulners

Node

yiisoft yii2-authclientRange≤2.2.14composer

Source	Link
github	www.github.com/yiisoft/yii2-authclient/security/advisories/GHSA-w8vh-p74j-x9xp
github	www.github.com/yiisoft/yii2-authclient/commit/dabddf2154ab7e7703740205a069202554089248
github	www.github.com/yiisoft/yii2-authclient/blob/0d1c3880f4d79e20aa1d77c012650b54e69695ff/src/OAuth1.php
github	www.github.com/yiisoft/yii2-authclient/blob/0d1c3880f4d79e20aa1d77c012650b54e69695ff/src/OAuth2.php
github	www.github.com/yiisoft/yii2-authclient/blob/0d1c3880f4d79e20aa1d77c012650b54e69695ff/src/OpenIdConnect.php
nvd	www.nvd.nist.gov/vuln/detail/CVE-2023-50708
github	www.github.com/advisories/GHSA-w8vh-p74j-x9xp

22 Dec 2023 22:23Current

7High risk

Vulners AI Score7

CVSS 3.16.1 - 9.8

EPSS0.00162