league/oauth2-server key exposed in exception message when passing as string and providing invalid pass phrase
CVE-2023-37260

8.2HIGH

Key Information:

Vendor

ThePHPleague

Status
Oauth2-server
Vendor
CVE Published:
6 July 2023

What is CVE-2023-37260?

The OAuth 2.0 authorization server from The PHP League had a vulnerability wherein keys passed as strings to the CryptKey constructor were exposed in LogicException messages. This occurred if a valid passphrase was not provided where necessary. The issue affected versions from 8.3.2 and below up to 8.5.2, allowing potential leakages of sensitive information. The vulnerability has been addressed in version 8.5.3, where the key is no longer revealed in exception messages. Users are strongly advised to upgrade to the patched version to enhance security. Alternatively, as a temporary measure, keys can be supplied as file paths instead of strings.

Affected Version(s)

oauth2-server >= 8.3.2, < 8.5.3

References

https://github.com/thephpleague/oauth2-server/security/ad...
x_refsource_CONFIRM
https://github.com/thephpleague/oauth2-server/pull/1353
x_refsource_MISC
https://github.com/thephpleague/oauth2-server/releases/ta...
x_refsource_MISC

CVSS V3.1

Score:
8.2
Severity:
HIGH
Confidentiality:
High
Integrity:
Low
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.