Impact
The function used to generate random nonces was not sufficiently cryptographically complex. As a result values may be predictable and tokens may be forgable.
Patches
Users should upgrade to version 5.0 immediately
Workarounds
None.
References
- https://github.com/packbackbooks/lti-1-3-php-library/security/advisories/GHSA-768m-5w34-2xf5
- https://github.com/packbackbooks/lti-1-3-php-library/commit/de19e8a0b28cdc7750fa3ca98471eeed26ba3e57
- https://openid.net/specs/openid-connect-core-1_0.html#IDToken
- https://nvd.nist.gov/vuln/detail/CVE-2022-31157
- https://github.com/advisories/GHSA-768m-5w34-2xf5