Headline
GHSA-6cq5-8cj7-g558: CodeIgniter4 Potential Session Handlers Vulnerability
Impact
When an application uses (1) multiple session cookies (e.g., one for user pages and one for admin pages) and (2) a session handler is set to DatabaseHandler
, MemcachedHandler
, or RedisHandler
, then if an attacker gets one session cookie (e.g., one for user pages), they may be able to access pages that require another session cookie (e.g., for admin pages).
Patches
Upgrade to v4.2.11 or later.
Workarounds
- Use only one session cookie.
References
- https://codeigniter4.github.io/userguide/libraries/sessions.html#session-drivers
For more information
If you have any questions or comments about this advisory:
- Open an issue in codeigniter4/CodeIgniter4
- Email us at SECURITY.md
CodeIgniter4 Potential Session Handlers Vulnerability
High severity GitHub Reviewed Published Dec 22, 2022 in codeigniter4/CodeIgniter4 • Updated Dec 22, 2022
Package
composer codeigniter4/framework (Composer)
Affected versions
< 4.2.11
Patched versions
4.2.11
Description
Impact
When an application uses (1) multiple session cookies (e.g., one for user pages and one for admin pages) and (2) a session handler is set to DatabaseHandler, MemcachedHandler, or RedisHandler, then if an attacker gets one session cookie (e.g., one for user pages), they may be able to access pages that require another session cookie (e.g., for admin pages).
Patches
Upgrade to v4.2.11 or later.
Workarounds
- Use only one session cookie.
References
- https://codeigniter4.github.io/userguide/libraries/sessions.html#session-drivers
For more information
If you have any questions or comments about this advisory:
- Open an issue in codeigniter4/CodeIgniter4
- Email us at SECURITY.md
References
- GHSA-6cq5-8cj7-g558
- codeigniter4/CodeIgniter4@f9fb657
- https://codeigniter4.github.io/userguide/libraries/sessions.html#session-drivers
MGatner published the maintainer security advisory
Dec 22, 2022
Severity
High
8.6
/ 10
CVSS base metrics
Attack vector
Network
Attack complexity
Low
Privileges required
None
User interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
Low
Availability
Low
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L
Weaknesses
CWE-287
CVE ID
CVE-2022-46170
GHSA ID
GHSA-6cq5-8cj7-g558
Source code
codeigniter4/CodeIgniter4
Credits
- srtnlgn
Checking history
See something to contribute? Suggest improvements for this vulnerability.
Related news
CodeIgniter is a PHP full-stack web framework. When an application uses (1) multiple session cookies (e.g., one for user pages and one for admin pages) and (2) a session handler is set to `DatabaseHandler`, `MemcachedHandler`, or `RedisHandler`, then if an attacker gets one session cookie (e.g., one for user pages), they may be able to access pages that require another session cookie (e.g., for admin pages). This issue has been patched, please upgrade to version 4.2.11 or later. As a workaround, use only one session cookie.