Vulnerability Description
CodeIgniter before 3.0 and Kohana 3.2.3 and earlier and 3.3.x through 3.3.2 make it easier for remote attackers to spoof session cookies and consequently conduct PHP object injection attacks by leveraging use of standard string comparison operators to compare cryptographic hashes.
CVSS Score
CRITICAL
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Codeigniter | Codeigniter | <= 2.2.6 |
| Kohanaframework | Kohana | 3.2.3 |
Related Weaknesses (CWE)
References
- http://packetstormsecurity.com/files/130609/Seagate-Business-NAS-UnauthenticatedThird Party AdvisoryVDB Entry
- http://seclists.org/fulldisclosure/2014/May/54Mailing ListThird Party Advisory
- https://github.com/kohana/core/pull/492Third Party Advisory
- https://scott.arciszewski.me/research/full/php-framework-timing-attacks-object-iThird Party Advisory
- http://packetstormsecurity.com/files/130609/Seagate-Business-NAS-UnauthenticatedThird Party AdvisoryVDB Entry
- http://seclists.org/fulldisclosure/2014/May/54Mailing ListThird Party Advisory
- https://github.com/kohana/core/pull/492Third Party Advisory
- https://scott.arciszewski.me/research/full/php-framework-timing-attacks-object-iThird Party Advisory
FAQ
What is CVE-2014-8684?
CVE-2014-8684 is a vulnerability with a CVSS score of 9.8 (CRITICAL). CodeIgniter before 3.0 and Kohana 3.2.3 and earlier and 3.3.x through 3.3.2 make it easier for remote attackers to spoof session cookies and consequently conduct PHP object injection attacks by levera...
How severe is CVE-2014-8684?
CVE-2014-8684 has been rated CRITICAL with a CVSS base score of 9.8/10. This is considered a critical vulnerability requiring immediate attention.
Is there a patch for CVE-2014-8684?
Check the references section above for vendor advisories and patch information. Affected products include: Codeigniter Codeigniter, Kohanaframework Kohana.