8.2

CVSS Score

3.1

Basic Information

CVE ID

CVE-2023-37260

GHSA ID

GHSA-wj7q-gjg8-3cpm

EPSS Score

0.78068%

CWE

CWE-200

Published

7/6/2023

Updated

11/5/2023

KEV Status

Technology

PHP

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2023-37260

CVE-2023-37260:
league/oauth2-server key exposed in exception message when passing as a string and providing an invalid pass phrase

Impact

Servers that passed their keys to the CryptKey constructor as as string instead of a file path will have had that key included in a LogicException message if they did not provide a valid pass phrase for the key where required.

Patches

This issue has been patched so that the provided key is no longer exposed in the exception message in the scenario outlined above. Users should upgrade to version 8.5.3 or 8.4.2 to receive the patch.

Workarounds

We recommend upgrading the oauth2-server to one of the patched releases (8.5.3 or 8.4.2). If you are unable to upgrade you can avoid this security issue by passing your key as a file instead of a string.

References

(GitHub Advisory)

8.2

CVSS Score

3.1

Basic Information

CVE ID

CVE-2023-37260

GHSA ID

GHSA-wj7q-gjg8-3cpm

EPSS Score

0.78068%

CWE

CWE-200

Published

7/6/2023

Updated

11/5/2023

KEV Status

Technology

PHP

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
league/oauth2-server	composer	>= 8.3.2, < 8.4.2	8.4.2
league/oauth2-server	composer	>= 8.5.0, < 8.5.3	8.5.3

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from how the CryptKey class handles exception messaging when invalid passphrases are provided with string-based keys. The patches in PR #1353 and PR #1359 specifically modify the exception message in CryptKey's constructor to remove the key value from error output. This indicates the constructor was directly responsible for leaking sensitive key material through exception messages in vulnerable versions.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

### Imp**t S*rv*rs t**t p*ss** t**ir k*ys to t** *ryptK*y *onstru*tor *s *s strin* inst*** o* * *il* p*t* will **v* *** t**t k*y in*lu*** in * Lo*i**x**ption m*ss*** i* t**y *i* not provi** * v*li* p*ss p*r*s* *or t** k*y w**r* r*quir**. ### P*t***

Reasoning

T** vuln*r**ility st*ms *rom *ow t** `*ryptK*y` *l*ss **n*l*s *x**ption m*ss**in* w**n inv*li* p*ssp*r*s*s *r* provi*** wit* strin*-**s** k*ys. T** p*t***s in PR #**** *n* PR #**** sp**i*i**lly mo*i*y t** *x**ption m*ss*** in `*ryptK*y`'s *onstru*tor

8.2

Basic Information

Concerned about an active attack path?

CVE-2023-37260: league/oauth2-server key exposed in exception message when passing as a string and providing an invalid pass phrase

Impact

Patches

Workarounds

References

8.2

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

CVE-2023-37260:
league/oauth2-server key exposed in exception message when passing as a string and providing an invalid pass phrase

Vulnerability Intelligence
Miggo AI