Ecosyste.ms: Advisories

An open API service providing security vulnerability metadata for many open source software ecosystems.

Security Advisories: GSA_kwCzR0hTQS13OXBoLXE0aDktcndxNs4AAYu2

CodeIgniter and Kohana vulnerable to PHP Object Injection

CodeIgniter before 3.0 and Kohana 3.2.3 and earlier and 3.3.x through 3.3.2 make it easier for remote attackers to spoof session cookies and consequently conduct PHP object injection attacks by leveraging use of standard string comparison operators to compare cryptographic hashes.

Permalink: https://github.com/advisories/GHSA-w9ph-q4h9-rwq6
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS13OXBoLXE0aDktcndxNs4AAYu2
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Critical
Classification: General
Published: over 2 years ago
Updated: over 1 year ago


CVSS Score: 9.8
CVSS vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Percentage: 0.00247
EPSS Percentile: 0.64993

Identifiers: GHSA-w9ph-q4h9-rwq6, CVE-2014-8684
References: Repository: https://github.com/kohana/core
Blast Radius: 26.9

Affected Packages

packagist:kohana/core
Dependent packages: 83
Dependent repositories: 553
Downloads: 507,509 total
Affected Version Ranges: < 3.3.3
Fixed in: 3.3.3
All affected versions: 3.2.3, 3.3.1, 3.3.2
All unaffected versions: 3.3.3, 3.3.4, 3.3.5, 3.3.6
packagist:codeigniter/framework
Dependent packages: 69
Dependent repositories: 509
Downloads: 1,844,784 total
Affected Version Ranges: < 3.0.0
Fixed in: 3.0.0
All affected versions:
All unaffected versions: 3.0.0, 3.0.1, 3.0.2, 3.0.3, 3.0.4, 3.0.5, 3.0.6, 3.1.0, 3.1.1, 3.1.2, 3.1.3, 3.1.4, 3.1.5, 3.1.6, 3.1.7, 3.1.8, 3.1.9, 3.1.10, 3.1.11, 3.1.12, 3.1.13