Impact
What kind of vulnerability is it? Who is impacted?
Original Report:
The Oauth1/2 "state" and OpenID Connect "nonce" is vulnerable for a "timing attack" since it's compared via regular string
comparison (instead of Yii::$app->getSecurity()->compareString()).
Affected Code:
-
OAuth 1 "state"
|
if (strcmp($requestToken->getToken(), $oauthToken) !== 0) { |
-
OAuth 2 "state"
|
if (!isset($incomingState) || empty($authState) || strcmp($incomingState, $authState) !== 0) { |
-
OpenID Connect "nonce"
|
if (!isset($jwsData['nonce']) || empty($authNonce) || strcmp($jwsData['nonce'], $authNonce) !== 0) { |
Patches
Has the problem been patched? What versions should users upgrade to?
TBD: Replace strcmp with Yii::$app->getSecurity()->compareString()).
Workarounds
Is there a way for users to fix or remediate the vulnerability without upgrading?
not as far as I see.
References
Are there any links users can visit to find out more?
Impact
What kind of vulnerability is it? Who is impacted?
Original Report:
Affected Code:
OAuth 1 "state"
yii2-authclient/src/OAuth1.php
Line 158 in 0d1c388
OAuth 2 "state"
yii2-authclient/src/OAuth2.php
Line 121 in 0d1c388
OpenID Connect "nonce"
yii2-authclient/src/OpenIdConnect.php
Line 420 in 0d1c388
Patches
Has the problem been patched? What versions should users upgrade to?
TBD: Replace strcmp with
Yii::$app->getSecurity()->compareString()).Workarounds
Is there a way for users to fix or remediate the vulnerability without upgrading?
not as far as I see.
References
Are there any links users can visit to find out more?