GHSA-w8vh-p74j-x9xp
Suggest an improvement- Source
- https://github.com/advisories/GHSA-w8vh-p74j-x9xp
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/12/GHSA-w8vh-p74j-x9xp/GHSA-w8vh-p74j-x9xp.json
- JSON Data
- https://api.test.osv.dev/v1/vulns/GHSA-w8vh-p74j-x9xp
- Aliases
- Published
- 2023-12-18T20:01:00Z
- Modified
- 2024-01-02T05:51:12.575791Z
- Severity
-
- 0.0 (None) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:N/I:N/A:N CVSS Calculator
- Summary
- yii2-authclient vulnerable to possible timing attack on string comparison in OAuth1, OAuth2 and OpenID Connect implementation
- Details
-
Impact
What kind of vulnerability is it? Who is impacted?
Original Report:
The Oauth1/2 "state" and OpenID Connect "nonce" is vulnerable for a "timing attack" since it's compared via regular string comparison (instead of
Yii::$app->getSecurity()->compareString()).Affected Code:
OAuth 1 "state"
https://github.com/yiisoft/yii2-authclient/blob/0d1c3880f4d79e20aa1d77c012650b54e69695ff/src/OAuth1.php#L158
OAuth 2 "state"
https://github.com/yiisoft/yii2-authclient/blob/0d1c3880f4d79e20aa1d77c012650b54e69695ff/src/OAuth2.php#L121
OpenID Connect "nonce"
https://github.com/yiisoft/yii2-authclient/blob/0d1c3880f4d79e20aa1d77c012650b54e69695ff/src/OpenIdConnect.php#L420
Patches
Has the problem been patched? What versions should users upgrade to?
TBD: Replace strcmp with
Yii::$app->getSecurity()->compareString()).Workarounds
Is there a way for users to fix or remediate the vulnerability without upgrading?
not as far as I see.
References
Are there any links users can visit to find out more?
- Database specific
{ "nvd_published_at": "2023-12-22T19:15:08Z", "cwe_ids": [ "CWE-203" ], "severity": "LOW", "github_reviewed": true, "github_reviewed_at": "2023-12-18T20:01:00Z" }- References
-
- https://github.com/yiisoft/yii2-authclient/security/advisories/GHSA-w8vh-p74j-x9xp
- https://nvd.nist.gov/vuln/detail/CVE-2023-50708
- https://github.com/yiisoft/yii2-authclient/commit/dabddf2154ab7e7703740205a069202554089248
- https://github.com/yiisoft/yii2-authclient
- https://github.com/yiisoft/yii2-authclient/blob/0d1c3880f4d79e20aa1d77c012650b54e69695ff/src/OAuth1.php#L158
- https://github.com/yiisoft/yii2-authclient/blob/0d1c3880f4d79e20aa1d77c012650b54e69695ff/src/OAuth2.php#L121
- https://github.com/yiisoft/yii2-authclient/blob/0d1c3880f4d79e20aa1d77c012650b54e69695ff/src/OpenIdConnect.php#L420
Affected packages
Packagist / yiisoft/yii2-authclient
Package
- Name
- yiisoft/yii2-authclient
- Purl
- pkg:composer/yiisoft/yii2-authclient
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced0Unknown introduced version / All previous versions are affectedFixed2.2.15