logo

Advisories

Weaknesses

Fixes

Requirements

Compliance

CVE-2022-35943 codeigniter4/shield

Package

Manager: composer
Name: codeigniter4/shield
Vulnerable Version: =1.0.0-beta || >=1.0.0-beta <1.0.0-beta.2

Severity

Level: Medium

CVSS v3.1: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:L

CVSS v4.0: CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:P/VC:N/VI:H/VA:L/SC:N/SI:N/SA:N

EPSS: 0.00145 pctl0.35395

Details

CodeIgniter Shield Vulnerable to SameSite Attackers Bypassing the CSRF Protection ### Impact This vulnerability may allow [SameSite Attackers](https://canitakeyoursubdomain.name/) to bypass the [CodeIgniter4 CSRF protection](https://codeigniter4.github.io/userguide/libraries/security.html) mechanism with CodeIgniter Shield. For this attack to succeed, the attacker must have direct (or indirect, e.g., XSS) control over a subdomain site (e.g., `https://a.example.com/`) of the target site (e.g., `http://example.com/`). This vulnerability exists whether `Config\Security::$csrfProtection` is `'cookie'` or `'session'`. It is also exploitable whether `Config\Security::$regenerate` is `true` or `false`. ### Patches Upgrade to **CodeIgniter v4.2.3 or later** and **Shield v1.0.0-beta.2 or later**. ### Workarounds Do all of the following: - set `Config\Security::$csrfProtection` to `'session'` - remove old session data right after login (immediately after ID and password match) - regenerate CSRF token right after login (immediately after ID and password match) ### References - [CodeIgniter4 CSRF Protection](https://codeigniter4.github.io/userguide/libraries/security.html) - [SameSite Attacks](https://canitakeyoursubdomain.name/) - [SameSite Cookies](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie/SameSite) - [The great SameSite confusion](https://jub0bs.com/posts/2021-01-29-great-samesite-confusion/) ### For more information If you have any questions or comments about this advisory: * Open an issue or discussion in [codeigniter4/shield](https://github.com/codeigniter4/shield) * Email us at [security@codeigniter.com](mailto:security@codeigniter.com)

Metadata

Created: 2022-08-18T19:03:34Z
Modified: 2022-08-18T19:03:34Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/08/GHSA-5hm8-vh6r-2cjq/GHSA-5hm8-vh6r-2cjq.json
CWE IDs: ["CWE-352"]
Alternative ID: GHSA-5hm8-vh6r-2cjq
Finding: F007
Auto approve: 1