CVE-2023-50714: The Oauth2 PKCE implementation is vulnerable
First published: Mon Dec 18 2023(Updated: )
### Impact _What kind of vulnerability is it? Who is impacted?_ Original Report: > The Oauth2 PKCE implementation is vulnerable in 2 ways: > 1. The `authCodeVerifier` should be removed after usage (similar to 'authState') > 2. There is a risk for a "downgrade attack" if PKCE is being relied on for CSRF protection. ### Patches _Has the problem been patched? What versions should users upgrade to?_ 2.2.15 ### Workarounds _Is there a way for users to fix or remediate the vulnerability without upgrading?_ not known yet. ### References _Are there any links users can visit to find out more?_
Credit: security-advisories@github.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| composer/yiisoft/yii2-authclient | <2.2.15 | 2.2.15 |
| Yii2-authclient | <2.2.15 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://github.com/yiisoft/yii2-authclient/security/advisories/GHSA-rw54-6826-c8j5
- https://github.com/yiisoft/yii2-authclient/commit/721ed974bc44137437b0cdc8454e137fff8db213
- https://nvd.nist.gov/vuln/detail/CVE-2023-50714
- https://github.com/yiisoft/yii2-authclient/blob/0d1c3880f4d79e20aa1d77c012650b54e69695ff/src/OAuth1.php#L158
- https://github.com/yiisoft/yii2-authclient/blob/0d1c3880f4d79e20aa1d77c012650b54e69695ff/src/OAuth2.php#L121
- https://github.com/yiisoft/yii2-authclient/blob/0d1c3880f4d79e20aa1d77c012650b54e69695ff/src/OpenIdConnect.php#L420
- https://github.com/advisories/GHSA-rw54-6826-c8j5 (Advisory)
Frequently Asked Questions
What is the severity of CVE-2023-50714?
CVE-2023-50714 is classified with a moderate severity due to vulnerabilities in the Oauth2 PKCE implementation.
How do I fix CVE-2023-50714?
To remediate CVE-2023-50714, upgrade to version 2.2.15 or later of the yii2-authclient package.
What types of attacks are possible with CVE-2023-50714?
CVE-2023-50714 is susceptible to downgrading attacks due to improper handling of the authCodeVerifier.
Which versions of yii2-authclient are affected by CVE-2023-50714?
CVE-2023-50714 affects all versions of the yii2-authclient package up to version 2.2.15.
Who is primarily impacted by CVE-2023-50714?
Developers using the yii2-authclient package for Oauth2 PKCE authentication are primarily impacted by CVE-2023-50714.
- collector/github-advisory-latest
- alias/GHSA-rw54-6826-c8j5
- alias/CVE-2023-50714
- collector/nvd-cve
- collector/github-advisory
- agent/type
- agent/softwarecombine
- agent/first-publish-date
- agent/remedy
- agent/severity
- agent/title
- agent/weakness
- agent/references
- agent/description
- agent/event
- collector/mitre-cve
- source/MITRE
- agent/last-modified-date
- agent/trending
- agent/source
- agent/tags
- collector/nvd-api
- source/NVD
- agent/software-canonical-lookup
- agent/software-canonical-lookup-request
- agent/author
- package-manager/composer
- vendor/yiiframework
- canonical/yii2-authclient