CVE-2014-8684

CodeIgniter before 3.0 and Kohana 3.2.3 and earlier and 3.3.x through 3.3.2 make it easier for remote attackers to spoof session cookies and consequently conduct PHP object injection attacks by leveraging use of standard string comparison operators to compare cryptographic hashes.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
9.8 CRITICAL
NETWORK
LOW
NONE
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
mitreCNA
---
---
CVEADP
---
---
Base Score
CVSS 3.x
EPSS Score
Percentile: 97%
VendorProductVersion
codeignitercodeigniter
𝑥
≤ 2.2.6
kohanaframeworkkohana
3.2.3
kohanaframeworkkohana
3.3.0
kohanaframeworkkohana
3.3.1
𝑥
= Vulnerable software versions
Common Weakness Enumeration
References
http://packetstormsecurity.com/files/130609/Seagate-Business-NAS-Unauthenticated-Remote-Command-Execution.html
http://seclists.org/fulldisclosure/2014/May/54
https://github.com/kohana/core/pull/492
https://scott.arciszewski.me/research/full/php-framework-timing-attacks-object-injection
http://packetstormsecurity.com/files/130609/Seagate-Business-NAS-Unauthenticated-Remote-Command-Execution.html
http://seclists.org/fulldisclosure/2014/May/54
https://github.com/kohana/core/pull/492
https://scott.arciszewski.me/research/full/php-framework-timing-attacks-object-injection