CVE-2023-50708 – yiisoft/yii2-authclient

Package

Manager: composer
Name: yiisoft/yii2-authclient
Vulnerable Version: >=0 <2.2.15

Severity

Level: Low

CVSS v3.1: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:N/I:N/A:N

CVSS v4.0: CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:P/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

EPSS: 0.00162 pctl0.3762

Details

yii2-authclient vulnerable to possible timing attack on string comparison in OAuth1, OAuth2 and OpenID Connect implementation ### Impact _What kind of vulnerability is it? Who is impacted?_ Original Report: > The Oauth1/2 "state" and OpenID Connect "nonce" is vulnerable for a "timing attack" since it's compared via regular string > comparison (instead of `Yii::$app->getSecurity()->compareString()`). Affected Code: 1. OAuth 1 "state" https://github.com/yiisoft/yii2-authclient/blob/0d1c3880f4d79e20aa1d77c012650b54e69695ff/src/OAuth1.php#L158 3. OAuth 2 "state" https://github.com/yiisoft/yii2-authclient/blob/0d1c3880f4d79e20aa1d77c012650b54e69695ff/src/OAuth2.php#L121 4. OpenID Connect "nonce" https://github.com/yiisoft/yii2-authclient/blob/0d1c3880f4d79e20aa1d77c012650b54e69695ff/src/OpenIdConnect.php#L420 ### Patches _Has the problem been patched? What versions should users upgrade to?_ TBD: Replace strcmp with `Yii::$app->getSecurity()->compareString()`). ### Workarounds _Is there a way for users to fix or remediate the vulnerability without upgrading?_ not as far as I see. ### References _Are there any links users can visit to find out more?_

Metadata

Created: 2023-12-18T20:01:00Z
Modified: 2023-12-22T22:23:51Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/12/GHSA-w8vh-p74j-x9xp/GHSA-w8vh-p74j-x9xp.json
CWE IDs: ["CWE-203"]
Alternative ID: GHSA-w8vh-p74j-x9xp
Finding: F026
Auto approve: 1