CVE-2023-50708

Опубликовано: 22 дек. 2023

Источник: nvd

CVSS3: 6.1

CVSS3: 9.8

EPSS Низкий

Описание

yii2-authclient is an extension that adds OpenID, OAuth, OAuth2 and OpenId Connect consumers for the Yii framework 2.0. In yii2-authclient prior to version 2.2.15, the Oauth1/2 state and OpenID Connect nonce is vulnerable for a timing attack since it is compared via regular string comparison (instead of Yii::$app->getSecurity()->compareString()). Version 2.2.15 contains a patch for the issue. No known workarounds are available.

Ссылки

Уязвимые конфигурации

Конфигурация 1

cpe:2.3:a:yiiframework:yii2-authclient:*:*:*:*:*:*:*:*

Версия до 2.2.15 (исключая)

EPSS

Процентиль: 37%

0.00162

Низкий

6.1 Medium

CVSS3

9.8 Critical

CVSS3

Дефекты

CWE-203

NVD-CWE-Other

Связанные уязвимости

GHSA-w8vh-p74j-x9xp

github

около 2 лет назад

yii2-authclient vulnerable to possible timing attack on string comparison in OAuth1, OAuth2 and OpenID Connect implementation

EPSS

Процентиль: 37%

0.00162

Низкий

6.1 Medium

CVSS3

9.8 Critical

CVSS3

Дефекты

CWE-203

NVD-CWE-Other