Generation of Error Message Containing Sensitive Information
CVE-2023-37260
Summary
league/oauth2-server is an implementation of an OAuth 2.0 authorization server written in PHP. In versions 8.3.2 through 8.5.2, servers that passed their keys to the "CryptKey" constructor as a string instead of a file path will have had that key included in a "LogicException" message if they did not provide a valid pass phrase for the key where required. This issue has been patched so that the provided key is no longer exposed in the exception message in the scenario outlined above. As a workaround, pass the key as a file instead of a string.
- LOW
- NETWORK
- NONE
- UNCHANGED
- NONE
- NONE
- HIGH
- NONE
CWE-209 - Generation of Error Message Containing Sensitive Information
The software generates an error message that includes sensitive information about its environment, users, or associated data.
References
Advisory Timeline
- Published