8.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
0.002 Low
EPSS
Percentile
55.6%
This vulnerability may allow SameSite Attackers to bypass the CodeIgniter4 CSRF protection mechanism with CodeIgniter Shield.
For this attack to succeed, the attacker must have direct (or indirect, e.g., XSS) control over a subdomain site (e.g., https://a.example.com/
) of the target site (e.g., http://example.com/
).
This vulnerability exists whether Config\Security::$csrfProtection
is 'cookie'
or 'session'
.
It is also exploitable whether Config\Security::$regenerate
is true
or false
.
Upgrade to CodeIgniter v4.2.3 or later andShield v1.0.0-beta.2 or later.
Do all of the following:
Config\Security::$csrfProtection
to 'session'
If you have any questions or comments about this advisory:
CPE | Name | Operator | Version |
---|---|---|---|
codeigniter4/shield | eq | 1.0.0-beta |
codeigniter4.github.io/userguide/libraries/security.htm
developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie/SameSite
github.com/codeigniter4/shield
github.com/codeigniter4/shield/commit/342a368536678621998c3c41d276480cd14ec6c6
github.com/codeigniter4/shield/security/advisories/GHSA-5hm8-vh6r-2cjq
jub0bs.com/posts/2021-01-29-great-samesite-confusion
nvd.nist.gov/vuln/detail/CVE-2022-35943