8.2

CVE-2023-37260

EPSS 1.83%
Veröffentlicht 06.07.2023 16:15:10
Zuletzt bearbeitet 21.11.2024 08:11:19
Quelle security-advisories@github.com
CVE-Watchlists
Login
Unerledigt
Login

league/oauth2-server is an implementation of an OAuth 2.0 authorization server written in PHP. Starting in version 8.3.2 and prior to version 8.5.3, servers that passed their keys to the CryptKey constructor as as string instead of a file path will have had that key included in a LogicException message if they did not provide a valid pass phrase for the key where required. This issue has been patched so that the provided key is no longer exposed in the exception message in the scenario outlined above. Users should upgrade to version 8.5.3 to receive the patch. As a workaround, pass the key as a file instead of a string.

Betroffene Produkte Warnungen 0 Metriken 3 CWE 1 Referenzen 6

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Thephpleague ≫ Oauth2-server Version >= 8.3.2 < 8.5.3

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	1.83%	0.824

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	7.5	3.9	3.6	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
security-advisories@github.com	8.2	3.9	4.2	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N

CWE-209 Generation of Error Message Containing Sensitive Information

The product generates an error message that includes sensitive information about its environment, users, or associated data.

https://github.com/thephpleague/oauth2-server/pull/1353

Patch

https://github.com/thephpleague/oauth2-server/releases/tag/8.5.3

Release Notes

https://github.com/thephpleague/oauth2-server/security/advisories/GHSA-wj7q-gjg8-3cpm

Vendor Advisory

https://nvd.nist.gov/vuln/detail/CVE-2023-37260

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2023-37260

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2023-37260

EUVD