PT-2023-25864 · Unknown · League/Oauth2-Server

Mhc03

Published

2023-07-06

Updated

2023-07-13

CVE-2023-37260

CVSS v3.1

8.2

High

Vector

AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N

Name of the Vulnerable Software and Affected Versions league/oauth2-server versions 8.3.2 through 8.5.2

Description The issue concerns an OAuth 2.0 authorization server written in PHP, where servers that passed their keys to the CryptKey constructor as a string instead of a file path would have the key included in a LogicException message if a valid pass phrase for the key was not provided. This has been patched so that the provided key is no longer exposed in the exception message.

Recommendations For versions 8.3.2 through 8.5.2, upgrade to version 8.5.3 to receive the patch. As a temporary workaround for versions 8.3.2 through 8.5.2, pass the key as a file instead of a string.

Exploit

Fix

Information Disclosure

Generation of Error Message Containing Sensitive Information

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-200CWE-209

Related Identifiers

CVE-2023-37260

GHSA-WJ7Q-GJG8-3CPM

Affected Products

League/Oauth2-Server

PT-2023-25864 · Unknown · League/Oauth2-Server

CVE-2023-37260

Weakness Enumeration

Related Identifiers

Affected Products

References · 10