CVE-2023-50708

Summary

yii2-authclient is an extension that adds OpenID, OAuth, OAuth2 and OpenId Connect consumers for the Yii framework 2.0. In yii2-authclient prior to version 2.2.15, the Oauth1/2 state and OpenID Connect nonce is vulnerable for a timing attack since it is compared via regular string comparison (instead of Yii::$app->getSecurity()->compareString()). Version 2.2.15 contains a patch for the issue. No known workarounds are available.

Affected Software

VendorProductVersion RangeStatus
yiisoftyii2-authclient< 2.2.15affected

Weaknesses

  • CWE-203: CWE-203: Observable Discrepancy

ADP Enrichment

CVE Program Container

Additional References

References