CVE Vulnerability

CVE-2022-39284

CodeIgniter is a PHP full-stack web framework. In versions prior to 4.2.7 setting `$secure` or `$httponly` value to `true` in `ConfigCookie` is not reflected in `set_cookie()` or `Response::setCookie()`. As a result cookie values are erroneously exposed to scripts. It should be noted that this vulnerability does not affect session cookies. Users are advised to upgrade to v4.2.7 or later. Users unable to upgrade are advised to manually construct their cookies either by setting the options in code or by constructing Cookie objects. Examples of each workaround are available in the linked GHSA.

4.3 /10

CVSS v3.0 : MEDIUM

V3 Legend

Vector :

Exploitability : 2.8 / Impact : 1.4

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact LOW

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

References
Link Resource
https://codeigniter4.github.io/userguide/helpers/cookie_helper.html#set_cookie Technical Description Third Party Advisory
https://developer.mozilla.org/en-US/docs/Web/HTTP/Cookies#restrict_access_to_cookies Technical Description Third Party Advisory
https://github.com/codeigniter4/CodeIgniter4/security/advisories/GHSA-745p-r637-7vvp Mitigation Third Party Advisory
https://github.com/codeigniter4/CodeIgniter4/issues/6540 Exploit Issue Tracking
https://codeigniter4.github.io/userguide/outgoing/response.html#CodeIgniter%5CHTTP%5CResponse::setCookie Technical Description Third Party Advisory
https://github.com/codeigniter4/CodeIgniter4/pull/6544 Patch Third Party Advisory
Configurations

Configuration 1

cpe:2.3:a:codeigniter:codeigniter:*:*:*:*:*:*:*:*
Information

Published : 2022-10-06 08:15

Updated : 2022-10-11 04:26

NVD link : CVE-2022-39284

Mitre link : CVE-2022-39284

Products Affected
No products.
CWE
CWE-665