Ecosyste.ms: Advisories

An open API service providing security vulnerability metadata for many open source software ecosystems.

Security Advisories: GSA_kwCzR0hTQS02Y3E1LThjajctZzU1OM4AAwgy

CodeIgniter4 Potential Session Handlers Vulnerability

Impact

When an application uses (1) multiple session cookies (e.g., one for user pages and one for admin pages) and (2) a session handler is set to DatabaseHandler, MemcachedHandler, or RedisHandler, then if an attacker gets one session cookie (e.g., one for user pages), they may be able to access pages that require another session cookie (e.g., for admin pages).

Patches

Upgrade to version 4.2.11 or later.

Workarounds

Use only one session cookie.

References

https://codeigniter4.github.io/userguide/libraries/sessions.html#session-drivers

For more information

If you have any questions or comments about this advisory:

Open an issue in codeigniter4/CodeIgniter4
Email us at SECURITY.md

Permalink: https://github.com/advisories/GHSA-6cq5-8cj7-g558
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS02Y3E1LThjajctZzU1OM4AAwgy
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: over 1 year ago
Updated: about 1 year ago

CVSS Score: 8.6
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L

Identifiers: GHSA-6cq5-8cj7-g558, CVE-2022-46170
References:

Repository: https://github.com/codeigniter4/CodeIgniter4
Blast Radius: 28.7

Affected Packages

packagist:codeigniter4/framework

Dependent packages: 239
Dependent repositories: 2,160
Downloads: 1,934,858 total
Affected Version Ranges: < 4.2.11
Fixed in: 4.2.11
All affected versions: 4.0.0, 4.0.1, 4.0.2, 4.0.3, 4.0.4, 4.0.5, 4.1.0, 4.1.1, 4.1.2, 4.1.3, 4.1.4, 4.1.5, 4.1.6, 4.1.7, 4.1.8, 4.1.9, 4.2.0, 4.2.1, 4.2.2, 4.2.3, 4.2.4, 4.2.5, 4.2.6, 4.2.7, 4.2.8, 4.2.9, 4.2.10
All unaffected versions: 4.2.11, 4.2.12, 4.3.0, 4.3.1, 4.3.2, 4.3.3, 4.3.4, 4.3.5, 4.3.6, 4.3.7, 4.3.8, 4.4.0, 4.4.1, 4.4.2, 4.4.3, 4.4.4, 4.4.5, 4.4.6, 4.4.7, 4.4.8, 4.5.0, 4.5.1