PT-2023-25864 · Unknown · League/Oauth2-Server

Mhc03

Publicado

2023-07-06

Atualizado

2023-07-13

CVE-2023-37260

CVSS v3.1

8.2

Alta

Vetor

AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N

Name of the Vulnerable Software and Affected Versions league/oauth2-server versions 8.3.2 through 8.5.2

Description The issue concerns an OAuth 2.0 authorization server written in PHP, where servers that passed their keys to the CryptKey constructor as a string instead of a file path would have the key included in a LogicException message if a valid pass phrase for the key was not provided. This has been patched so that the provided key is no longer exposed in the exception message.

Recommendations For versions 8.3.2 through 8.5.2, upgrade to version 8.5.3 to receive the patch. As a temporary workaround for versions 8.3.2 through 8.5.2, pass the key as a file instead of a string.

Exploit

Correção

Information Disclosure

Generation of Error Message Containing Sensitive Information

Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾

dbugs@ptsecurity.com

Enumeração de Fraquezas

CWE-200CWE-209

Identificadores relacionados

CVE-2023-37260

GHSA-WJ7Q-GJG8-3CPM

Produtos afetados

League/Oauth2-Server

PT-2023-25864 · Unknown · League/Oauth2-Server

CVE-2023-37260

Enumeração de Fraquezas

Identificadores relacionados

Produtos afetados

Referências · 10