CVE-2023-50708: 
PHP vulnerability analysis and mitigation

The vulnerability CVE-2023-50708 affects yii2-authclient, an extension that adds OpenID, OAuth, OAuth2 and OpenId Connect consumers for the Yii framework 2.0. In versions prior to 2.2.15, the Oauth1/2 state and OpenID Connect nonce parameters are vulnerable to timing attacks due to the use of regular string comparison instead of the secure Yii::$app->getSecurity()->compareString() method (GitHub Advisory).

The vulnerability exists in the string comparison implementation for authentication tokens. The affected code uses the PHP strcmp() function to compare authentication tokens in multiple components: OAuth1 state token (OAuth1.php), OAuth2 state token (OAuth2.php), and OpenID Connect nonce value (OpenIdConnect.php). This implementation makes the comparison vulnerable to timing attacks, which could potentially allow attackers to deduce the token values (GitHub Advisory). The vulnerability has been assigned a CVSS v3.1 base score of 6.1 MEDIUM by GitHub, while NIST assigned it a score of 9.8 CRITICAL (NVD).

The timing attack vulnerability could potentially allow attackers to bypass authentication mechanisms by predicting or deducing the authentication tokens. This could lead to unauthorized access to protected resources and potential impersonation of legitimate users (GitHub Advisory).

The vulnerability has been patched in version 2.2.15 of yii2-authclient. The fix involves replacing the standard string comparison (strcmp) with Yii's secure string comparison method Yii::$app->getSecurity()->compareString(). No known workarounds are available for users who cannot upgrade (GitHub Advisory).