GHSA-745p-r637-7vvp
Suggest an improvement- Source
- https://github.com/advisories/GHSA-745p-r637-7vvp
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/10/GHSA-745p-r637-7vvp/GHSA-745p-r637-7vvp.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-745p-r637-7vvp
- Aliases
- Published
- 2022-10-06T20:01:41Z
- Modified
- 2024-02-16T08:04:07.612498Z
- Severity
-
- 2.6 (Low) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:N/A:N CVSS Calculator
- Summary
- Codeigniter4's Secure or HttpOnly flag set in Config\Cookie is not reflected in Cookies issued
- Details
-
Impact
Setting
$secureor$httponlyvalue totrueinConfig\Cookieis not reflected inset_cookie()orResponse::setCookie().Note This vulnerability does not affect session cookies.
The following code does not issue a cookie with the secure flag even if you set
$secure = trueinConfig\Cookie.helper('cookie'); $cookie = [ 'name' => $name, 'value' => $value, ]; set_cookie($cookie); // or $this->response->setCookie($cookie);Patches
Upgrade to v4.2.7 or later.
Workarounds
- Specify the options explicitly.
helper('cookie'); $cookie = [ 'name' => $name, 'value' => $value, 'secure' => true, 'httponly' => true, ]; set_cookie($cookie); // or $this->response->setCookie($cookie); - Use Cookie object.
use CodeIgniter\Cookie\Cookie; helper('cookie'); $cookie = new Cookie($name, $value); set_cookie($cookie); // or $this->response->setCookie($cookie);
References
- https://codeigniter4.github.io/userguide/helpers/cookiehelper.html#setcookie
- https://codeigniter4.github.io/userguide/outgoing/response.html#CodeIgniter\HTTP\Response::setCookie
For more information
If you have any questions or comments about this advisory: * Open an issue in codeigniter4/CodeIgniter4 * Email us at SECURITY.md
- Specify the options explicitly.
- Database specific
{ "nvd_published_at": "2022-10-06T20:15:00Z", "severity": "LOW", "github_reviewed_at": "2022-10-06T20:01:41Z", "github_reviewed": true, "cwe_ids": [ "CWE-665", "CWE-732" ] }- References
-
- https://github.com/codeigniter4/CodeIgniter4/security/advisories/GHSA-745p-r637-7vvp
- https://nvd.nist.gov/vuln/detail/CVE-2022-39284
- https://github.com/codeigniter4/CodeIgniter4/issues/6540
- https://github.com/codeigniter4/CodeIgniter4/pull/6544
- https://codeigniter4.github.io/userguide/helpers/cookie_helper.html#set_cookie
- https://codeigniter4.github.io/userguide/outgoing/response.html#CodeIgniter%5CHTTP%5CResponse::setCookie
- https://developer.mozilla.org/en-US/docs/Web/HTTP/Cookies#restrict_access_to_cookies
- https://github.com/FriendsOfPHP/security-advisories/blob/master/codeigniter4/framework/CVE-2022-39284.yaml
- https://github.com/codeigniter4/CodeIgniter4
Affected packages
Packagist / codeigniter4/framework
Package
- Name
- codeigniter4/framework
- Purl
- pkg:composer/codeigniter4/framework
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced0Unknown introduced version / All previous versions are affectedFixed4.2.7
Affected versions
v4.*
v4.0.0-alpha.3
v4.0.0-alpha.4
v4.0.0-alpha.5
v4.0.0-beta.1
v4.0.0-beta.2
v4.0.0-beta.3
v4.0.0-beta.4
v4.0.0-rc.1
v4.0.0-rc.2
v4.0.0-rc.2.1
v4.0.0-rc.3
v4.0.1
v4.0.2
v4.0.3
v4.0.4
v4.0.5
v4.1.0
v4.1.1
v4.1.2
v4.1.3
v4.1.4
v4.1.5
v4.1.6
v4.1.7
v4.1.8
v4.1.9
v4.2.0
v4.2.1
v4.2.2
v4.2.3
v4.2.4
v4.2.5
v4.2.6
4.*
4.0.0-rc.4
4.0.0