The Oauth2 PKCE implementation is vulnerable
CVE-2023-50714

6.8MEDIUM

Key Information:

Vendor: Yiisoft
Status: Yii2-authclient
Vendor: CVE Published:; 22 December 2023

What is CVE-2023-50714?

yii2-authclient is an extension that adds OpenID, OAuth, OAuth2 and OpenId Connect consumers for the Yii framework 2.0. In yii2-authclient prior to version 2.2.15, the Oauth2 PKCE implementation is vulnerable in 2 ways. First, the authCodeVerifier should be removed after usage (similar to authState). Second, there is a risk for a downgrade attack if PKCE is being relied on for CSRF protection. Version 2.2.15 contains a patch for the issue. No known workarounds are available.

Affected Version(s)

yii2-authclient < 2.2.15

References

https://github.com/yiisoft/yii2-authclient/security/advis...

x_refsource_CONFIRM

https://github.com/yiisoft/yii2-authclient/commit/721ed97...

x_refsource_MISC

https://github.com/yiisoft/yii2-authclient/blob/0d1c3880f...

x_refsource_MISC

CVSS V3.1

Score:

6.8

Severity:

MEDIUM

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

None

User Interaction:

Required

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Dec 22, 2023
Vulnerability Reserved
Dec 11, 2023

Yiisoft

What is CVE-2023-50714?

Affected Version(s)

References

CVSS V3.1

Timeline