CVE-2022-35943 — MEDIUM (5.9)

Q: How severe is CVE-2022-35943?

CVE-2022-35943 has been rated MEDIUM with a CVSS base score of 5.9/10. Review the CVSS metrics above for detailed severity breakdown.

Q: Is there a patch for CVE-2022-35943?

Check the references section above for vendor advisories and patch information. Affected products include: Codeigniter Codeigniter, Codeigniter Shield.

Vulnerability Description

Shield is an authentication and authorization framework for CodeIgniter 4. This vulnerability may allow [SameSite Attackers](https://canitakeyoursubdomain.name/) to bypass the [CodeIgniter4 CSRF protection](https://codeigniter4.github.io/userguide/libraries/security.html) mechanism with CodeIgniter Shield. For this attack to succeed, the attacker must have direct (or indirect, e.g., XSS) control over a subdomain site (e.g., `https://a.example.com/`) of the target site (e.g., `http://example.com/`). Upgrade to **CodeIgniter v4.2.3 or later** and **Shield v1.0.0-beta.2 or later**. As a workaround: set `Config\Security::$csrfProtection` to `'session,'`remove old session data right after login (immediately after ID and password match) and regenerate CSRF token right after login (immediately after ID and password match)

CVSS Score

5.9

MEDIUM

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:L

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality

NONE

Integrity

HIGH

Availability

LOW

Affected Products

Vendor	Product	Versions
Codeigniter	Codeigniter	< 4.2.3
Codeigniter	Shield	1.0.0

Related Weaknesses (CWE)

CWE-352

References

https://codeigniter4.github.io/userguide/libraries/security.htmBroken Link
https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie/SameSiteThird Party Advisory
https://github.com/codeigniter4/shield/security/advisories/GHSA-5hm8-vh6r-2cjqExploitMitigationThird Party Advisory
https://jub0bs.com/posts/2021-01-29-great-samesite-confusionThird Party Advisory
https://codeigniter4.github.io/userguide/libraries/security.htmBroken Link
https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie/SameSiteThird Party Advisory
https://github.com/codeigniter4/shield/security/advisories/GHSA-5hm8-vh6r-2cjqExploitMitigationThird Party Advisory
https://jub0bs.com/posts/2021-01-29-great-samesite-confusionThird Party Advisory

FAQ

What is CVE-2022-35943?

CVE-2022-35943 is a vulnerability with a CVSS score of 5.9 (MEDIUM). Shield is an authentication and authorization framework for CodeIgniter 4. This vulnerability may allow [SameSite Attackers](https://canitakeyoursubdomain.name/) to bypass the [CodeIgniter4 CSRF prote...

How severe is CVE-2022-35943?

CVE-2022-35943 has been rated MEDIUM with a CVSS base score of 5.9/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2022-35943?

Check the references section above for vendor advisories and patch information. Affected products include: Codeigniter Codeigniter, Codeigniter Shield.