CVE-2023-37260

CVSS 3.1 Score 7.5 of 10 (high)

Details

Published Jul 6, 2023

Updated: Jul 13, 2023

CWE ID 209

Summary

CVE-2023-37260 affects the league/oauth2-server, an OAuth 2.0 authorization server written in PHP. In versions 8.3.2 and below, passing a key as a string to the CryptKey constructor instead of a file path may result in the key being exposed in a LogicException message if an incorrect passphrase is used. This issue has been addressed in version 8.5.3 by removing the key from the exception message. To mitigate the risk, users should upgrade to the latest version, or pass the key as a file instead of a string as a workaround.

Prevent cyber attacks with Recorded Future by prioritizing and patching critical vulnerabilities being exploited by threat actors targeting your industry. Book your demo to learn more.

https://app.recordedfuture.com/live/sc/entity/r1MTWs
https://www.cve.org/CVERecord?id=CVE-2023-37260
https://nvd.nist.gov/vuln/detail/CVE-2023-37260

Back to Vulnerability Database

CVE-2023-37260

CVSS 3.1 Score 7.5 of 10 (high)

Details

Summary

Advisories, Assessments, and Mitigations