Security
Headlines
HeadlinesLatestCVEs

Headline

GHSA-6cq5-8cj7-g558: CodeIgniter4 Potential Session Handlers Vulnerability

Impact

When an application uses (1) multiple session cookies (e.g., one for user pages and one for admin pages) and (2) a session handler is set to DatabaseHandler, MemcachedHandler, or RedisHandler, then if an attacker gets one session cookie (e.g., one for user pages), they may be able to access pages that require another session cookie (e.g., for admin pages).

Patches

Upgrade to v4.2.11 or later.

Workarounds

  • Use only one session cookie.

References

  • https://codeigniter4.github.io/userguide/libraries/sessions.html#session-drivers

For more information

If you have any questions or comments about this advisory:

ghsa
#vulnerability#redis#memcached#git

CodeIgniter4 Potential Session Handlers Vulnerability

High severity GitHub Reviewed Published Dec 22, 2022 in codeigniter4/CodeIgniter4 • Updated Dec 22, 2022

Package

composer codeigniter4/framework (Composer)

Affected versions

< 4.2.11

Patched versions

4.2.11

Description

Impact

When an application uses (1) multiple session cookies (e.g., one for user pages and one for admin pages) and (2) a session handler is set to DatabaseHandler, MemcachedHandler, or RedisHandler, then if an attacker gets one session cookie (e.g., one for user pages), they may be able to access pages that require another session cookie (e.g., for admin pages).

Patches

Upgrade to v4.2.11 or later.

Workarounds

  • Use only one session cookie.

References

  • https://codeigniter4.github.io/userguide/libraries/sessions.html#session-drivers

For more information

If you have any questions or comments about this advisory:

  • Open an issue in codeigniter4/CodeIgniter4
  • Email us at SECURITY.md

References

  • GHSA-6cq5-8cj7-g558
  • codeigniter4/CodeIgniter4@f9fb657
  • https://codeigniter4.github.io/userguide/libraries/sessions.html#session-drivers

MGatner published the maintainer security advisory

Dec 22, 2022

Severity

High

8.6

/ 10

CVSS base metrics

Attack vector

Network

Attack complexity

Low

Privileges required

None

User interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

Low

Availability

Low

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L

Weaknesses

CWE-287

CVE ID

CVE-2022-46170

GHSA ID

GHSA-6cq5-8cj7-g558

Source code

codeigniter4/CodeIgniter4

Credits

  • srtnlgn

Checking history

See something to contribute? Suggest improvements for this vulnerability.

Related news

CVE-2022-46170: Merge pull request from GHSA-6cq5-8cj7-g558 · codeigniter4/CodeIgniter4@f9fb657

CodeIgniter is a PHP full-stack web framework. When an application uses (1) multiple session cookies (e.g., one for user pages and one for admin pages) and (2) a session handler is set to `DatabaseHandler`, `MemcachedHandler`, or `RedisHandler`, then if an attacker gets one session cookie (e.g., one for user pages), they may be able to access pages that require another session cookie (e.g., for admin pages). This issue has been patched, please upgrade to version 4.2.11 or later. As a workaround, use only one session cookie.