CVE-2023-50714: 
PHP vulnerability analysis and mitigation

CVE-2023-50714 affects yii2-authclient, an extension that adds OpenID, OAuth, OAuth2 and OpenId Connect consumers for the Yii framework 2.0. The vulnerability was discovered in versions prior to 2.2.15, where the OAuth2 PKCE (Proof Key for Code Exchange) implementation contained two critical security flaws. The issue was disclosed on December 22, 2023, and has been assigned a CVSS v3.1 base score of 8.8 HIGH by NIST (NVD).

The vulnerability consists of two main issues in the OAuth2 PKCE implementation: First, the authCodeVerifier is not properly removed after usage (unlike the authState parameter). Second, there is a vulnerability to a downgrade attack when PKCE is being relied upon for CSRF protection. The issue affects the authentication flow in the OAuth2 implementation (GitHub Advisory).

The vulnerability could potentially allow attackers to bypass authentication mechanisms and perform unauthorized actions. With a CVSS score of 8.8 HIGH, the vulnerability has significant potential impact on both confidentiality and integrity of the affected systems, particularly in scenarios where PKCE is used for CSRF protection (NVD).

The vulnerability has been patched in version 2.2.15 of yii2-authclient. The fix includes proper removal of the authCodeVerifier after usage and implementation of protection against PKCE downgrade attacks. No known workarounds are available, making upgrading to version 2.2.15 the only recommended solution (GitHub Advisory).