Mhc03

**Name of the Vulnerable Software and Affected Versions** league/oauth2-server versions 8.3.2 through 8.5.2 **Description** The issue concerns an OAuth 2.0 authorization server written in PHP, where servers that passed their keys to the CryptKey constructor as a string instead of a file path would have the key included in a LogicException message if a valid pass phrase for the key was not provided. This has been patched so that the provided key is no longer exposed in the exception message. **Recommendations** For versions 8.3.2 through 8.5.2, upgrade to version 8.5.3 to receive the patch. As a temporary workaround for versions 8.3.2 through 8.5.2, pass the key as a file instead of a string.