Yii2 Authclient
CVE-2023-50708
CRITICAL
Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
1DescriptionNVD
yii2-authclient is an extension that adds OpenID, OAuth, OAuth2 and OpenId Connect consumers for the Yii framework 2.0. In yii2-authclient prior to version 2.2.15, the Oauth1/2 state and OpenID Connect nonce is vulnerable for a timing attack since it is compared via regular string comparison (instead of Yii::$app->getSecurity()->compareString()). Version 2.2.15 contains a patch for the issue. No known workarounds are available.
AnalysisAI
yii2-authclient is an extension that adds OpenID, OAuth, OAuth2 and OpenId Connect consumers for the Yii framework 2.0. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.
Technical ContextAI
This vulnerability is classified under CWE-203. yii2-authclient is an extension that adds OpenID, OAuth, OAuth2 and OpenId Connect consumers for the Yii framework 2.0. In yii2-authclient prior to version 2.2.15, the Oauth1/2 state and OpenID Connect nonce is vulnerable for a timing attack since it is compared via regular string comparison (instead of Yii::$app->getSecurity()->compareString()). Version 2.2.15 contains a patch for the issue. No known workarounds are available. Affected products include: Yiiframework Yii2-Authclient. Version information: version 2.2.15.
RemediationAI
A vendor patch is available. Apply the latest security update as soon as possible. Apply vendor patches when available. Implement network segmentation and monitoring as interim mitigations.
More in Yii2 Authclient
View allSame weakness CWE-203 – Observable Discrepancy
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today