CVE-2023-50708

Name of the Vulnerable Software and Affected Versions yii2-authclient versions prior to 2.2.15

Description The issue concerns a timing attack vulnerability in the Oauth1/2 state and OpenID Connect nonce due to comparison via regular string comparison instead of using Yii::$app->getSecurity()->compareString(). This vulnerability affects the OAuth 1 "state", OAuth 2 "state", and OpenID Connect "nonce". No estimated number of potentially affected devices or real-world incidents are mentioned.

Recommendations For yii2-authclient versions prior to 2.2.15, update to version 2.2.15 to resolve the issue. As a temporary workaround, consider using Yii::$app->getSecurity()->compareString() for comparing the Oauth1/2 state and OpenID Connect nonce until the official patch is applied.