Headline
CVE-2022-31157
LTI 1.3 Tool Library is a library used for building IMS-certified LTI 1.3 tool providers in PHP. Prior to version 5.0, the function used to generate random nonces was not sufficiently cryptographically complex. Users should upgrade to version 5.0 to receive a patch. There are currently no known workarounds.
Authentication Bypass by Capture-replay in packbackbooks/lti-1-3-php-library
High
dbhynds published GHSA-768m-5w34-2xf5
Jul 15, 2022
Package
composer packbackbooks/lti-1-3-php-library (Composer)
Affected versions
< 5.0
Patched versions
5.0
Description
Impact
The function used to generate random nonces was not sufficiently cryptographically complex.
Patches
Users should upgrade to version 5.0 immediately
Workarounds
None.
References
- https://openid.net/specs/openid-connect-core-1_0.html#IDToken
Severity
High
CVE ID
CVE-2022-31157
Weaknesses
CWE-294
Related news
### Impact The function used to generate random nonces was not sufficiently cryptographically complex. As a result values may be predictable and tokens may be forgable. ### Patches Users should upgrade to version 5.0 immediately ### Workarounds None.