Lucene search

K
osvGoogleOSV:GHSA-WJ7Q-GJG8-3CPM
HistoryJul 06, 2023 - 9:07 p.m.

league/oauth2-server key exposed in exception message when passing as a string and providing an invalid pass phrase

2023-07-0621:07:27
Google
osv.dev
13
impact
cryptkey constructor
logicexception
patch
upgrade
workaround
security issue
file path
pass phrase

CVSS3

8.2

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N

EPSS

0.001

Percentile

44.5%

Impact

Servers that passed their keys to the CryptKey constructor as as string instead of a file path will have had that key included in a LogicException message if they did not provide a valid pass phrase for the key where required.

Patches

This issue has been patched so that the provided key is no longer exposed in the exception message in the scenario outlined above. Users should upgrade to version 8.5.3 or 8.4.2 to receive the patch.

Workarounds

We recommend upgrading the oauth2-server to one of the patched releases (8.5.3 or 8.4.2). If you are unable to upgrade you can avoid this security issue by passing your key as a file instead of a string.

References

CVSS3

8.2

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N

EPSS

0.001

Percentile

44.5%

Related for OSV:GHSA-WJ7Q-GJG8-3CPM