GHSA-w9ph-q4h9-rwq6
Suggest an improvement- Source
- https://github.com/advisories/GHSA-w9ph-q4h9-rwq6
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-w9ph-q4h9-rwq6/GHSA-w9ph-q4h9-rwq6.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-w9ph-q4h9-rwq6
- Aliases
-
- CVE-2014-8684
- Published
- 2022-05-17T00:47:12Z
- Modified
- 2024-11-29T05:26:47.774709Z
- Severity
-
- 9.8 (Critical) CVSS_V3 - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
- Summary
- CodeIgniter and Kohana vulnerable to PHP Object Injection
- Details
-
CodeIgniter before 3.0 and Kohana 3.2.3 and earlier and 3.3.x through 3.3.2 make it easier for remote attackers to spoof session cookies and consequently conduct PHP object injection attacks by leveraging use of standard string comparison operators to compare cryptographic hashes.
- Database specific
{ "nvd_published_at": "2017-09-19T19:29:00Z", "cwe_ids": [], "severity": "CRITICAL", "github_reviewed": true, "github_reviewed_at": "2023-08-16T23:04:17Z" }- References
-
- https://nvd.nist.gov/vuln/detail/CVE-2014-8684
- https://github.com/kohana/core/pull/492
- https://github.com/kohana/core/commit/66b409a6da2960130888989534ff1799532b8f32
- https://github.com/bcit-ci/CodeIgniter/blob/2.2.6/system/libraries/Session.php#L159
- https://web.archive.org/web/20140802041151/https://scott.arciszewski.me/research/full/php-framework-timing-attacks-object-injection
- http://packetstormsecurity.com/files/130609/Seagate-Business-NAS-Unauthenticated-Remote-Command-Execution.html
- http://seclists.org/fulldisclosure/2014/May/54
Affected packages
Packagist / codeigniter/framework
Package
- Name
- codeigniter/framework
- Purl
- pkg:composer/codeigniter/framework
Packagist / kohana/core
Package
- Name
- kohana/core
- Purl
- pkg:composer/kohana/core