[GHSA-wj7q-gjg8-3cpm] league/oauth2-server key exposed in exception message when passing as a string and providing an invalid pass phrase

[christianmeller]

Updates

• Affected products
• Description
• References

Comments
Fixed for php7.x versions, see thephpleague/oauth2-server#1359

[github]

Hi there @Sephster! A community member has suggested an improvement to your security advisory. If approved, this change will affect the global advisory listed at github.com/advisories. It will not affect the version listed in your project repository.

This change will be reviewed by our highly-trained Security Curation Team. If you have thoughts or feedback, please share them in a comment here! If this PR has already been closed, you can start a new community contribution for this advisory

[Sephster]

Thanks for raising this. Just the one minor adjustment from me of note. Not a major one but keeps things in line with the update to the security advisory in the repo. Thanks

[Sephster]

Suggested change

"details": "### Impact\nServers that passed their keys to the CryptKey constructor as as string instead of a file path will have had that key included in a LogicException message if they did not provide a valid pass phrase for the key where required. \n\n### Patches\nThis issue has been patched so that the provided key is no longer exposed in the exception message in the scenario outlined above. Users should upgrade to version 8.5.3 or 8.4.2 to receive the patch\n\n### Workarounds\nWe recommend upgrading the oauth2-server to the latest version. If you are unable to upgrade you can avoid this security issue by passing your key as a file instead of a string.\n\n### References\n[Pull request](https://github.com/thephpleague/oauth2-server/pull/1353) for the applied fix.\n[Pull request](https://github.com/thephpleague/oauth2-server/pull/1359) for the applied fix for php 7.x version.\n",

"details": "### Impact\nServers that passed their keys to the CryptKey constructor as as string instead of a file path will have had that key included in a LogicException message if they did not provide a valid pass phrase for the key where required. \n\n### Patches\nThis issue has been patched so that the provided key is no longer exposed in the exception message in the scenario outlined above. Users should upgrade to version 8.5.3 or 8.4.2 to receive the patch\n\n### Workarounds\nWe recommend upgrading the oauth2-server to one of the patched releases (8.5.3 or 8.4.2). If you are unable to upgrade you can avoid this security issue by passing your key as a file instead of a string.\n\n### References\n[Pull request](https://github.com/thephpleague/oauth2-server/pull/1353) for the applied fix.\n[Pull request](https://github.com/thephpleague/oauth2-server/pull/1359) for the applied fix for php 7.x version.\n",

[advisory-database]

Hi @christianmeller! Thank you so much for contributing to the GitHub Advisory Database. This database is free, open, and accessible to all, and it's people like you who make it great. Thanks for choosing to help others. We hope you send in more contributions in the future!

[darakian]

Thank you both! 🙇