CVE-2023-50714

See a problem?
Please try reporting it to the source first.

Source

https://nvd.nist.gov/vuln/detail/CVE-2023-50714

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2023-50714.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2023-50714

Aliases

GHSA-rw54-6826-c8j5

Published

2023-12-22T18:30:03.118Z

Modified

2025-12-05T00:13:01.333322Z

Severity

6.8 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N CVSS Calculator

Summary

The Oauth2 PKCE implementation is vulnerable

Details

yii2-authclient is an extension that adds OpenID, OAuth, OAuth2 and OpenId Connect consumers for the Yii framework 2.0. In yii2-authclient prior to version 2.2.15, the Oauth2 PKCE implementation is vulnerable in 2 ways. First, the authCodeVerifier should be removed after usage (similar to authState). Second, there is a risk for a downgrade attack if PKCE is being relied on for CSRF protection. Version 2.2.15 contains a patch for the issue. No known workarounds are available.

Database specific

{
    "cwe_ids": [
        "CWE-347",
        "CWE-918"
    ],
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2023/50xxx/CVE-2023-50714.json",
    "cna_assigner": "GitHub_M"
}

References

Affected packages

Git / github.com/yiisoft/yii2-authclient

Affected ranges

Type: GIT
Repo: https://github.com/yiisoft/yii2-authclient
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Fixed

a11cbb065a2424c25f9dc0d0df6852d605d869b2

Affected versions

2.*

2.0.0

2.0.0-beta

2.0.0-rc

2.0.1

2.0.2

2.0.3

2.0.4

2.0.5

2.0.6

2.1.0

2.1.1

2.1.2

2.1.3

2.1.4

2.1.5

2.1.6

2.1.7

2.1.8

2.2.0

2.2.1

2.2.10

2.2.11

2.2.12

2.2.13

2.2.14

2.2.2

2.2.3

2.2.4

2.2.6

2.2.7

2.2.8

2.2.9

Database specific

source

"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2023-50714.json"