QwikSec

Security Database

CVE

CWE

Training

CVE-2023-50708

Published: Dec 22, 2023

Modified: Aug 2, 2024

PUBLISHED

CVSS v3.1

6.1

MEDIUM

Description

yii2-authclient is an extension that adds OpenID, OAuth, OAuth2 and OpenId Connect consumers for the Yii framework 2.0. In yii2-authclient prior to version 2.2.15, the Oauth1/2 `state` and OpenID Connect `nonce` is vulnerable for a `timing attack` since it is compared via regular string comparison (instead of `Yii::$app->getSecurity()->compareString()`). Version 2.2.15 contains a patch for the issue. No known workarounds are available.

Vendor	Product	Versions
yiisoft	yii2-authclient	affected `< 2.2.15`

Weaknesses (CWE)

CVSS v3.1 Details

CVSS v3.1 Vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:N/I:H/A:N

Attack Vector

Network

Attack Complexity

High

Privileges Required

None

User Interaction

Required

Scope

Changed

Confidentiality

None

Integrity

High

Availability

None

References

https://github.com/yiisoft/yii2-authclient/security/advisories/GHSA-w8vh-p74j-x9xp

x_refsource_CONFIRM

https://github.com/yiisoft/yii2-authclient/commit/dabddf2154ab7e7703740205a069202554089248

x_refsource_MISC

https://github.com/yiisoft/yii2-authclient/blob/0d1c3880f4d79e20aa1d77c012650b54e69695ff/src/OAuth1.php#L158

x_refsource_MISC

https://github.com/yiisoft/yii2-authclient/blob/0d1c3880f4d79e20aa1d77c012650b54e69695ff/src/OAuth2.php#L121

x_refsource_MISC

https://github.com/yiisoft/yii2-authclient/blob/0d1c3880f4d79e20aa1d77c012650b54e69695ff/src/OpenIdConnect.php#L420

x_refsource_MISC

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.

CVE-2023-50708 | MEDIUM (6.1) - Security Vulnerability | QwikSec