GHSA-w9ph-q4h9-rwq6

Suggest an improvement
Source
https://github.com/advisories/GHSA-w9ph-q4h9-rwq6
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-w9ph-q4h9-rwq6/GHSA-w9ph-q4h9-rwq6.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-w9ph-q4h9-rwq6
Aliases
  • CVE-2014-8684
Published
2022-05-17T00:47:12Z
Modified
2024-02-16T08:02:20.815684Z
Severity
  • 9.8 (Critical) CVSS_V3 - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
Summary
CodeIgniter and Kohana vulnerable to PHP Object Injection
Details

CodeIgniter before 3.0 and Kohana 3.2.3 and earlier and 3.3.x through 3.3.2 make it easier for remote attackers to spoof session cookies and consequently conduct PHP object injection attacks by leveraging use of standard string comparison operators to compare cryptographic hashes.

References

Affected packages

Packagist / codeigniter/framework

Package

Name
codeigniter/framework
Purl
pkg:composer/codeigniter/framework

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
3.0.0

Affected versions

3.*

3.0rc
3.0rc2
3.0rc3

Packagist / kohana/core

Package

Name
kohana/core
Purl
pkg:composer/kohana/core

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
3.3.3

Affected versions

v3.*

v3.2.3
v3.3.1
v3.3.2