Headline
GHSA-j72f-h752-mx4w: Insertion of Sensitive Information into Log
Impact
If successful login attempts are recorded, the raw tokens are stored in the log table. If a malicious person somehow views the data in the log table, he or she can obtain a raw token, which can then be used to send a request with that user’s authority.
When you (1) use the following authentiactors,
- AccessTokens (
tokens) - JWT (
jwt) - HmacSha256 (
hmac)
and you (2) log successful login attempts, the raw tokens are stored.
Patches
Upgrade to Shield v1.0.0-beta.8 or later.
Workarounds
Disable logging for successful login attempts by the configuration files.
- AccessTokens or HmacSha256
- Set
Config\AuthToken::$recordLoginAttempttoAuth::RECORD_LOGIN_ATTEMPT_FAILUREorAuth::RECORD_LOGIN_ATTEMPT_NONE
- Set
- JWT
- Set
Config\AuthJWT::$recordLoginAttempttoAuth::RECORD_LOGIN_ATTEMPT_FAILUREorAuth::RECORD_LOGIN_ATTEMPT_NONE
- Set
References
- https://codeigniter4.github.io/shield/getting_started/authenticators/
For more information
If you have any questions or comments about this advisory:
- Open an issue or discussion in codeigniter4/shield
- Email us at [email protected]
Impact
If successful login attempts are recorded, the raw tokens are stored in the log table.
If a malicious person somehow views the data in the log table, he or she can obtain a raw token, which can then be used to send a request with that user’s authority.
When you (1) use the following authentiactors,
- AccessTokens (tokens)
- JWT (jwt)
- HmacSha256 (hmac)
and you (2) log successful login attempts, the raw tokens are stored.
Patches
Upgrade to Shield v1.0.0-beta.8 or later.
Workarounds
Disable logging for successful login attempts by the configuration files.
- AccessTokens or HmacSha256
- Set Config\AuthToken::$recordLoginAttempt to Auth::RECORD_LOGIN_ATTEMPT_FAILURE or Auth::RECORD_LOGIN_ATTEMPT_NONE
- JWT
- Set Config\AuthJWT::$recordLoginAttempt to Auth::RECORD_LOGIN_ATTEMPT_FAILURE or Auth::RECORD_LOGIN_ATTEMPT_NONE
References
- https://codeigniter4.github.io/shield/getting_started/authenticators/
For more information
If you have any questions or comments about this advisory:
- Open an issue or discussion in codeigniter4/shield
- Email us at [email protected]
References
- GHSA-j72f-h752-mx4w
- codeigniter4/shield@7e84c3f