CVE-2022-39284 — LOW (2.6) — White Hats Nepal

Q: How severe is CVE-2022-39284?

CVE-2022-39284 has been rated LOW with a CVSS base score of 2.6/10. Review the CVSS metrics above for detailed severity breakdown.

Q: Is there a patch for CVE-2022-39284?

Check the references section above for vendor advisories and patch information. Affected products include: Codeigniter Codeigniter.

Vulnerability Description

CodeIgniter is a PHP full-stack web framework. In versions prior to 4.2.7 setting `$secure` or `$httponly` value to `true` in `Config\Cookie` is not reflected in `set_cookie()` or `Response::setCookie()`. As a result cookie values are erroneously exposed to scripts. It should be noted that this vulnerability does not affect session cookies. Users are advised to upgrade to v4.2.7 or later. Users unable to upgrade are advised to manually construct their cookies either by setting the options in code or by constructing Cookie objects. Examples of each workaround are available in the linked GHSA.

CVSS Score

2.6

LOW

CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:N/A:N

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

LOW

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality

LOW

Integrity

NONE

Availability

NONE

Affected Products

Vendor	Product	Versions
Codeigniter	Codeigniter	>= 4.0.0, < 4.2.7

Related Weaknesses (CWE)

CWE-665 CWE-732

References

https://codeigniter4.github.io/userguide/helpers/cookie_helper.html#set_cookieTechnical DescriptionThird Party Advisory
https://codeigniter4.github.io/userguide/outgoing/response.html#CodeIgniter%5CHTTechnical DescriptionThird Party Advisory
https://developer.mozilla.org/en-US/docs/Web/HTTP/Cookies#restrict_access_to_cooTechnical DescriptionThird Party Advisory
https://github.com/codeigniter4/CodeIgniter4/issues/6540ExploitIssue TrackingThird Party Advisory
https://github.com/codeigniter4/CodeIgniter4/pull/6544PatchThird Party Advisory
https://github.com/codeigniter4/CodeIgniter4/security/advisories/GHSA-745p-r637-MitigationThird Party Advisory
https://codeigniter4.github.io/userguide/helpers/cookie_helper.html#set_cookieTechnical DescriptionThird Party Advisory
https://codeigniter4.github.io/userguide/outgoing/response.html#CodeIgniter%5CHTTechnical DescriptionThird Party Advisory
https://developer.mozilla.org/en-US/docs/Web/HTTP/Cookies#restrict_access_to_cooTechnical DescriptionThird Party Advisory
https://github.com/codeigniter4/CodeIgniter4/issues/6540ExploitIssue TrackingThird Party Advisory
https://github.com/codeigniter4/CodeIgniter4/pull/6544PatchThird Party Advisory
https://github.com/codeigniter4/CodeIgniter4/security/advisories/GHSA-745p-r637-MitigationThird Party Advisory

FAQ

What is CVE-2022-39284?

CVE-2022-39284 is a vulnerability with a CVSS score of 2.6 (LOW). CodeIgniter is a PHP full-stack web framework. In versions prior to 4.2.7 setting `$secure` or `$httponly` value to `true` in `Config\Cookie` is not reflected in `set_cookie()` or `Response::setCookie...

How severe is CVE-2022-39284?

CVE-2022-39284 has been rated LOW with a CVSS base score of 2.6/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2022-39284?

Check the references section above for vendor advisories and patch information. Affected products include: Codeigniter Codeigniter.