Search for packages
| purl | pkg:composer/codeigniter4/shield@1.0.0-beta.2 |
| Next non-vulnerable version | 1.0.0-beta.8 |
| Latest non-vulnerable version | 1.0.0-beta.8 |
| Risk | 3.4 |
| Vulnerability | Summary | Fixed by |
|---|---|---|
|
VCID-9pkw-h7uu-xkgf
Aliases: CVE-2023-48708 GHSA-j72f-h752-mx4w GMS-2023-4599 |
Insertion of Sensitive Information into Log ### Impact If successful login attempts are recorded, the raw tokens are stored in the log table. If a malicious person somehow views the data in the log table, he or she can obtain a raw token, which can then be used to send a request with that user's authority. When you (1) **use the following authentiactors**, - [AccessTokens](https://codeigniter4.github.io/shield/references/authentication/tokens/) (`tokens`) - [JWT](https://codeigniter4.github.io/shield/addons/jwt/) (`jwt`) - [HmacSha256](https://codeigniter4.github.io/shield/references/authentication/hmac/) (`hmac`) and you (2) **log successful login attempts**, the raw tokens are stored. ### Patches Upgrade to Shield v1.0.0-beta.8 or later. ### Workarounds Disable logging for successful login attempts by the configuration files. - AccessTokens or HmacSha256 - Set `Config\AuthToken::$recordLoginAttempt` to `Auth::RECORD_LOGIN_ATTEMPT_FAILURE` or `Auth::RECORD_LOGIN_ATTEMPT_NONE` - JWT - Set `Config\AuthJWT::$recordLoginAttempt` to `Auth::RECORD_LOGIN_ATTEMPT_FAILURE` or `Auth::RECORD_LOGIN_ATTEMPT_NONE` ### References - https://codeigniter4.github.io/shield/getting_started/authenticators/ ### For more information If you have any questions or comments about this advisory: * Open an issue or discussion in [codeigniter4/shield](https://github.com/codeigniter4/shield) * Email us at [security@codeigniter.com](mailto:security@codeigniter.com) |
Affected by 0 other vulnerabilities. |
|
VCID-rn23-tab5-3kbq
Aliases: CVE-2023-27580 GHSA-c5vj-f36q-p9vg |
Use of Password Hash With Insufficient Computational Effort CodeIgniter Shield provides authentication and authorization for the CodeIgniter 4 PHP framework. An improper implementation was found in the password storage process. All hashed passwords stored in Shield v1.0.0-beta.3 or earlier are easier to crack than expected due to the vulnerability. Therefore, they should be removed as soon as possible. If an attacker gets (1) the user's hashed password by Shield, and (2) the hashed password (SHA-384 hash without salt) from somewhere, the attacker may easily crack the user's password. Upgrade to Shield v1.0.0-beta.4 or later to fix this issue. After upgrading, all users’ hashed passwords should be updated (saved to the database). There are no known workarounds. |
Affected by 2 other vulnerabilities. |
|
VCID-v5wc-pnsf-cya2
Aliases: CVE-2023-48707 GHSA-v427-c49j-8w6x GMS-2023-4600 |
Cleartext Storage of Sensitive Information in HMAC SHA256 Authentication ### Impact **secretKey**, an important key for HMAC SHA256 authentication, was stored in the database in raw form. If a malicious person somehow had access to the data in the database, they could use the key and secretKey for HMAC SHA256 authentication to send requests impersonating that person. ### Patches Upgrade to Shield v1.0.0-beta.8 or later. After upgrading, all existing secret keys must be encrypted. See https://github.com/codeigniter4/shield/blob/develop/UPGRADING.md for details. ### Workarounds None. ### References - https://codeigniter4.github.io/shield/references/authentication/hmac/ ### For more information If you have any questions or comments about this advisory: * Open an issue or discussion in [codeigniter4/shield](https://github.com/codeigniter4/shield) * Email us at [security@codeigniter.com](mailto:security@codeigniter.com) |
Affected by 0 other vulnerabilities. |
| Vulnerability | Summary | Aliases |
|---|---|---|
| VCID-fpcv-9quu-8fe2 | CodeIgniter Shield Vulnerable to SameSite Attackers Bypassing the CSRF Protection ### Impact This vulnerability may allow [SameSite Attackers](https://canitakeyoursubdomain.name/) to bypass the [CodeIgniter4 CSRF protection](https://codeigniter4.github.io/userguide/libraries/security.html) mechanism with CodeIgniter Shield. For this attack to succeed, the attacker must have direct (or indirect, e.g., XSS) control over a subdomain site (e.g., `https://a.example.com/`) of the target site (e.g., `http://example.com/`). This vulnerability exists whether `Config\Security::$csrfProtection` is `'cookie'` or `'session'`. It is also exploitable whether `Config\Security::$regenerate` is `true` or `false`. ### Patches Upgrade to **CodeIgniter v4.2.3 or later** and **Shield v1.0.0-beta.2 or later**. ### Workarounds Do all of the following: - set `Config\Security::$csrfProtection` to `'session'` - remove old session data right after login (immediately after ID and password match) - regenerate CSRF token right after login (immediately after ID and password match) ### References - [CodeIgniter4 CSRF Protection](https://codeigniter4.github.io/userguide/libraries/security.html) - [SameSite Attacks](https://canitakeyoursubdomain.name/) - [SameSite Cookies](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie/SameSite) - [The great SameSite confusion](https://jub0bs.com/posts/2021-01-29-great-samesite-confusion/) ### For more information If you have any questions or comments about this advisory: * Open an issue or discussion in [codeigniter4/shield](https://github.com/codeigniter4/shield) * Email us at [security@codeigniter.com](mailto:security@codeigniter.com) |
CVE-2022-35943
GHSA-5hm8-vh6r-2cjq |