9.8

CVSS Score

3.1

Basic Information

CVE ID

CVE-2023-50708

GHSA ID

GHSA-w8vh-p74j-x9xp

EPSS Score

0.37915%

CWE

CWE-203

Published

12/18/2023

Updated

12/22/2023

KEV Status

Technology

PHP

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2023-50708

CVE-2023-50708: yii2-authclient vulnerable to possible timing attack on string comparison in OAuth1, OAuth2 and OpenID Connect implementation

Impact

What kind of vulnerability is it? Who is impacted?

Original Report:

The Oauth1/2 "state" and OpenID Connect "nonce" is vulnerable for a "timing attack" since it's compared via regular string comparison (instead of Yii::$app->getSecurity()->compareString()).

Affected Code:

OAuth 1 "state"

https://github.com/yiisoft/yii2-authclient/blob/0d1c3880f4d79e20aa1d77c012650b54e69695ff/src/OAuth1.php#L158
OAuth 2 "state"

https://github.com/yiisoft/yii2-authclient/blob/0d1c3880f4d79e20aa1d77c012650b54e69695ff/src/OAuth2.php#L121
OpenID Connect "nonce"

https://github.com/yiisoft/yii2-authclient/blob/0d1c3880f4d79e20aa1d77c012650b54e69695ff/src/OpenIdConnect.php#L420

Patches

Has the problem been patched? What versions should users upgrade to?

TBD: Replace strcmp with Yii::$app->getSecurity()->compareString()).

Workarounds

Is there a way for users to fix or remediate the vulnerability without upgrading?

not as far as I see.

References

Are there any links users can visit to find out more?

(GitHub Advisory)

9.8

CVSS Score

3.1

Basic Information

CVE ID

CVE-2023-50708

GHSA ID

GHSA-w8vh-p74j-x9xp

EPSS Score

0.37915%

CWE

CWE-203

Published

12/18/2023

Updated

12/22/2023

KEV Status

Technology

PHP

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
yiisoft/yii2-authclient	composer	<= 2.2.14	2.2.15

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from using strcmp() for security-sensitive comparisons of OAuth1/OAuth2 'state' and OpenID Connect 'nonce' parameters. The commit diff shows replacements of strcmp() with Yii's timing-safe compareString() in these exact locations. The vulnerability report explicitly identifies these three comparison points as vulnerable due to their use of non-constant-time string comparison, which allows potential timing attacks. The high confidence comes from direct code evidence in the patches and explicit advisory references to these specific code locations.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

### Imp**t _W**t kin* o* vuln*r**ility is it? W*o is imp**t**?_ Ori*in*l R*port: > T** O*ut**/* "st*t*" *n* Op*nI* *onn**t "non**" is vuln*r**l* *or * "timin* *tt**k" sin** it's *omp*r** vi* r**ul*r strin* > *omp*rison (inst*** o* `Yii::$*pp->**tS

Reasoning

T** vuln*r**ility st*ms *rom usin* `str*mp()` *or s**urity-s*nsitiv* *omp*risons o* O*ut**/O*ut** 'st*t*' *n* Op*nI* *onn**t 'non**' p*r*m*t*rs. T** *ommit *i** s*ows r*pl***m*nts o* `str*mp()` wit* Yii's `timin*-s*** *omp*r*Strin*()` in t**s* *x**t

9.8

Basic Information

Concerned about an active attack path?

CVE-2023-50708: yii2-authclient vulnerable to possible timing attack on string comparison in OAuth1, OAuth2 and OpenID Connect implementation

Impact

Patches

Workarounds

References

9.8

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI