CVE-2023-37260
HIGHleague/oauth2-server 8.3.2-8.5.3 - Sensitive Information Exposure in CryptKey Error Message
Title source: llmDescription
league/oauth2-server is an implementation of an OAuth 2.0 authorization server written in PHP. Starting in version 8.3.2 and prior to version 8.5.3, servers that passed their keys to the CryptKey constructor as as string instead of a file path will have had that key included in a LogicException message if they did not provide a valid pass phrase for the key where required. This issue has been patched so that the provided key is no longer exposed in the exception message in the scenario outlined above. Users should upgrade to version 8.5.3 to receive the patch. As a workaround, pass the key as a file instead of a string.
References (3)
Core 3
Core References
Vendor Advisory x_refsource_confirm
https://github.com/thephpleague/oauth2-server/security/advisories/GHSA-wj7q-gjg8-3cpm
Patch x_refsource_misc
https://github.com/thephpleague/oauth2-server/pull/1353
Release Notes x_refsource_misc
https://github.com/thephpleague/oauth2-server/releases/tag/8.5.3
Scores
CVSS v3
8.2
EPSS
0.0078
EPSS Percentile
51.0%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
yes
Technical Impact
partial
Details
CWE
CWE-209
Status
published
Products (2)
league/oauth2-server
8.3.2 - 8.4.2Packagist
thephpleague/oauth2-server
8.3.2 - 8.5.3
Published
Jul 06, 2023
Tracked Since
Feb 18, 2026