Skip to main content

Generation of Error Message Containing Sensitive Information

CVE-2023-37260

Severity High
Score 7.5/10

Summary

league/oauth2-server is an implementation of an OAuth 2.0 authorization server written in PHP. In versions 8.3.2 through 8.5.2, servers that passed their keys to the "CryptKey" constructor as a string instead of a file path will have had that key included in a "LogicException" message if they did not provide a valid pass phrase for the key where required. This issue has been patched so that the provided key is no longer exposed in the exception message in the scenario outlined above. As a workaround, pass the key as a file instead of a string.

  • LOW
  • NETWORK
  • NONE
  • UNCHANGED
  • NONE
  • NONE
  • HIGH
  • NONE

CWE-209 - Generation of Error Message Containing Sensitive Information

The software generates an error message that includes sensitive information about its environment, users, or associated data.

Advisory Timeline

  • Published