Headline
GHSA-768m-5w34-2xf5: Use of Insufficiently Random Values in packbackbooks/lti-1-3-php-library
Impact
The function used to generate random nonces was not sufficiently cryptographically complex. As a result values may be predictable and tokens may be forgable.
Patches
Users should upgrade to version 5.0 immediately
Workarounds
None.
- GitHub Advisory Database
- GitHub Reviewed
- CVE-2022-31157
Use of Insufficiently Random Values in packbackbooks/lti-1-3-php-library
High severity GitHub Reviewed Published Jul 15, 2022 in packbackbooks/lti-1-3-php-library • Updated Jul 15, 2022
Vulnerability details Dependabot alerts 0
Package
composer packbackbooks/lti-1-3-php-library (Composer)
Affected versions
< 5.0
Patched versions
5.0
Description
Impact
The function used to generate random nonces was not sufficiently cryptographically complex. As a result values may be predictable and tokens may be forgable.
Patches
Users should upgrade to version 5.0 immediately
Workarounds
None.
References
- GHSA-768m-5w34-2xf5
- packbackbooks/lti-1-3-php-library@de19e8a
- https://openid.net/specs/openid-connect-core-1_0.html#IDToken
dbhynds published the maintainer security advisory
Jul 15, 2022
Severity
High
Weaknesses
CWE-330
CVE ID
CVE-2022-31157
GHSA ID
GHSA-768m-5w34-2xf5
Source code
No known source code
Checking history
See something to contribute? Suggest improvements for this vulnerability.
Related news
LTI 1.3 Tool Library is a library used for building IMS-certified LTI 1.3 tool providers in PHP. Prior to version 5.0, the function used to generate random nonces was not sufficiently cryptographically complex. Users should upgrade to version 5.0 to receive a patch. There are currently no known workarounds.