-
Notifications
You must be signed in to change notification settings - Fork 289
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[GHSA-wj7q-gjg8-3cpm] league/oauth2-server key exposed in exception message when passing as a string and providing an invalid pass phrase #2572
Conversation
Hi there @Sephster! A community member has suggested an improvement to your security advisory. If approved, this change will affect the global advisory listed at github.com/advisories. It will not affect the version listed in your project repository. This change will be reviewed by our highly-trained Security Curation Team. If you have thoughts or feedback, please share them in a comment here! If this PR has already been closed, you can start a new community contribution for this advisory |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks for raising this. Just the one minor adjustment from me of note. Not a major one but keeps things in line with the update to the security advisory in the repo. Thanks
"published": "2023-07-06T21:07:27Z", | ||
"aliases": [ | ||
"CVE-2023-37260" | ||
], | ||
"summary": "league/oauth2-server key exposed in exception message when passing as a string and providing an invalid pass phrase", | ||
"details": "### Impact\nServers that passed their keys to the CryptKey constructor as as string instead of a file path will have had that key included in a LogicException message if they did not provide a valid pass phrase for the key where required. \n\n### Patches\nThis issue has been patched so that the provided key is no longer exposed in the exception message in the scenario outlined above. Users should upgrade to version 8.5.3 to receive the patch\n\n### Workarounds\nWe recommend upgrading the oauth2-server to the latest version. If you are unable to upgrade you can avoid this security issue by passing your key as a file instead of a string.\n\n### References\n[Pull request](https://github.com/thephpleague/oauth2-server/pull/1353) for the applied fix.\n", | ||
"details": "### Impact\nServers that passed their keys to the CryptKey constructor as as string instead of a file path will have had that key included in a LogicException message if they did not provide a valid pass phrase for the key where required. \n\n### Patches\nThis issue has been patched so that the provided key is no longer exposed in the exception message in the scenario outlined above. Users should upgrade to version 8.5.3 or 8.4.2 to receive the patch\n\n### Workarounds\nWe recommend upgrading the oauth2-server to the latest version. If you are unable to upgrade you can avoid this security issue by passing your key as a file instead of a string.\n\n### References\n[Pull request](https://github.com/thephpleague/oauth2-server/pull/1353) for the applied fix.\n[Pull request](https://github.com/thephpleague/oauth2-server/pull/1359) for the applied fix for php 7.x version.\n", |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
"details": "### Impact\nServers that passed their keys to the CryptKey constructor as as string instead of a file path will have had that key included in a LogicException message if they did not provide a valid pass phrase for the key where required. \n\n### Patches\nThis issue has been patched so that the provided key is no longer exposed in the exception message in the scenario outlined above. Users should upgrade to version 8.5.3 or 8.4.2 to receive the patch\n\n### Workarounds\nWe recommend upgrading the oauth2-server to the latest version. If you are unable to upgrade you can avoid this security issue by passing your key as a file instead of a string.\n\n### References\n[Pull request](https://github.com/thephpleague/oauth2-server/pull/1353) for the applied fix.\n[Pull request](https://github.com/thephpleague/oauth2-server/pull/1359) for the applied fix for php 7.x version.\n", | |
"details": "### Impact\nServers that passed their keys to the CryptKey constructor as as string instead of a file path will have had that key included in a LogicException message if they did not provide a valid pass phrase for the key where required. \n\n### Patches\nThis issue has been patched so that the provided key is no longer exposed in the exception message in the scenario outlined above. Users should upgrade to version 8.5.3 or 8.4.2 to receive the patch\n\n### Workarounds\nWe recommend upgrading the oauth2-server to one of the patched releases (8.5.3 or 8.4.2). If you are unable to upgrade you can avoid this security issue by passing your key as a file instead of a string.\n\n### References\n[Pull request](https://github.com/thephpleague/oauth2-server/pull/1353) for the applied fix.\n[Pull request](https://github.com/thephpleague/oauth2-server/pull/1359) for the applied fix for php 7.x version.\n", |
9185943
into
christianmeller/advisory-improvement-2572
Hi @christianmeller! Thank you so much for contributing to the GitHub Advisory Database. This database is free, open, and accessible to all, and it's people like you who make it great. Thanks for choosing to help others. We hope you send in more contributions in the future! |
Thank you both! 🙇 |
Updates
Comments
Fixed for php7.x versions, see thephpleague/oauth2-server#1359