Описание
LTI 1.3 Tool Library's function used to generate random nonces not sufficiently cryptographically complex before v5.0
Impact
The function used to generate random nonces was not sufficiently cryptographically complex. As a result values may be predictable and tokens may be forgable.
Patches
Users should upgrade to version 5.0 immediately
Workarounds
None.
Ссылки
- https://github.com/packbackbooks/lti-1-3-php-library/security/advisories/GHSA-768m-5w34-2xf5
- https://nvd.nist.gov/vuln/detail/CVE-2022-31157
- https://github.com/packbackbooks/lti-1-3-php-library/commit/de19e8a0b28cdc7750fa3ca98471eeed26ba3e57
- https://openid.net/specs/openid-connect-core-1_0.html#IDToken
Пакеты
Наименование
packbackbooks/lti-1-3-php-library
composer
Затронутые версииВерсия исправления
< 5.0
5.0
Связанные уязвимости
CVSS3: 7.5
nvd
больше 3 лет назад
LTI 1.3 Tool Library is a library used for building IMS-certified LTI 1.3 tool providers in PHP. Prior to version 5.0, the function used to generate random nonces was not sufficiently cryptographically complex. Users should upgrade to version 5.0 to receive a patch. There are currently no known workarounds.