CVE-2023-37260: league/oauth2-server key exposed in exception message when passing as string and providing invalid pass phrase

First published: Thu Jul 06 2023(Updated: )

### Impact Servers that passed their keys to the CryptKey constructor as as string instead of a file path will have had that key included in a LogicException message if they did not provide a valid pass phrase for the key where required. ### Patches This issue has been patched so that the provided key is no longer exposed in the exception message in the scenario outlined above. Users should upgrade to version 8.5.3 or 8.4.2 to receive the patch. ### Workarounds We recommend upgrading the oauth2-server to one of the patched releases (8.5.3 or 8.4.2). If you are unable to upgrade you can avoid this security issue by passing your key as a file instead of a string. ### References * [Fix for 8.4.x](https://github.com/thephpleague/oauth2-server/pull/1359) * [Fix for 8.5.x](https://github.com/thephpleague/oauth2-server/pull/1353)

Credit: security-advisories@github.com security-advisories@github.com

Never miss a vulnerability like this again

Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.

Read MoreStart Free Trial

• collector/github-advisory
• alias/GHSA-wj7q-gjg8-3cpm
• alias/CVE-2023-37260
• collector/github-advisory-latest
• collector/nvd-index
• collector/nvd-cve
• agent/references
• agent/author
• agent/type
• agent/softwarecombine
• agent/weakness
• agent/severity
• agent/title
• agent/remedy
• agent/description
• agent/first-publish-date
• agent/event
• agent/tags
• collector/mitre-cve
• source/MITRE
• agent/last-modified-date
• agent/trending
• package-manager/composer
• vendor/thephpleague
• canonical/thephpleague oauth2-server
• version/thephpleague oauth2-server/8.3.2