Home > Vulnerability Database > CVE-2023-37260

Mend.io Vulnerability Database

CVE-2023-37260

Good to know:

Date: July 6, 2023

league/oauth2-server is an implementation of an OAuth 2.0 authorization server written in PHP. Starting in version 8.3.2 and prior to version 8.5.3, servers that passed their keys to the CryptKey constructor as as string instead of a file path will have had that key included in a LogicException message if they did not provide a valid pass phrase for the key where required. This issue has been patched so that the provided key is no longer exposed in the exception message in the scenario outlined above. Users should upgrade to version 8.5.3 to receive the patch. As a workaround, pass the key as a file instead of a string.

Language: PHP

Severity Score

7.5

Related Resources (5)

Url: https://github.com/thephpleague/oauth2-server/security/advisories/GHSA-wj7q-gjg8-3cpm

Url: https://nvd.nist.gov/vuln/detail/CVE-2023-37260

Url: https://github.com/thephpleague/oauth2-server/pull/1353

Url: https://github.com/thephpleague/oauth2-server/releases/tag/8.5.3

Url: https://www.mend.io/vulnerability-database/CVE-2023-37260

Severity Score

7.5

Weakness Type (CWE)

Generation of Error Message Containing Sensitive Information

CWE-209

Top Fix

Upgrade Version

Upgrade to version 8.5.2

Learn More

CVSS v3.1

Base Score:	7.5
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	LOW
Privileges Required (PR):	NONE
User Interaction (UI):	NONE
Scope (S):	UNCHANGED
Confidentiality (C):	HIGH
Integrity (I):	NONE
Availability (A):	NONE

Mend.io Vulnerability Database

We found results for “”

CVE-2023-37260

Good to know:

Date: July 6, 2023

Language: PHP

Severity Score

Related Resources (5)

Severity Score

Weakness Type (CWE)

Top Fix

Upgrade Version

CVSS v3.1

Do you need more information?