CVE-2022-39284

CodeIgniter is a PHP full-stack web framework. In versions prior to 4.2.7 setting `$secure` or `$httponly` value to `true` in `Config\Cookie` is not reflected in `set_cookie()` or `Response::setCookie()`. As a result cookie values are erroneously exposed to scripts. It should be noted that this vulnerability does not affect session cookies. Users are advised to upgrade to v4.2.7 or later. Users unable to upgrade are advised to manually construct their cookies either by setting the options in code or by constructing Cookie objects. Examples of each workaround are available in the linked GHSA.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
2.6 LOW
NETWORK
HIGH
LOW
CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:N/A:N
GitHub_MCNA
2.6 LOW
NETWORK
HIGH
LOW
CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:N/A:N
CVEADP
---
---
CISA-ADPADP
---
---
Base Score
CVSS 3.x
EPSS Score
Percentile: 33%
VendorProductVersion
codeignitercodeigniter
4.0.0 ≤
𝑥
< 4.2.7
𝑥
= Vulnerable software versions
Common Weakness Enumeration
References
https://codeigniter4.github.io/userguide/helpers/cookie_helper.html#set_cookie
https://codeigniter4.github.io/userguide/outgoing/response.html#CodeIgniter%5CHTTP%5CResponse::setCookie
https://developer.mozilla.org/en-US/docs/Web/HTTP/Cookies#restrict_access_to_cookies
https://github.com/codeigniter4/CodeIgniter4/issues/6540
https://github.com/codeigniter4/CodeIgniter4/pull/6544
https://github.com/codeigniter4/CodeIgniter4/security/advisories/GHSA-745p-r637-7vvp
https://codeigniter4.github.io/userguide/helpers/cookie_helper.html#set_cookie
https://codeigniter4.github.io/userguide/outgoing/response.html#CodeIgniter%5CHTTP%5CResponse::setCookie
https://developer.mozilla.org/en-US/docs/Web/HTTP/Cookies#restrict_access_to_cookies
https://github.com/codeigniter4/CodeIgniter4/issues/6540
https://github.com/codeigniter4/CodeIgniter4/pull/6544
https://github.com/codeigniter4/CodeIgniter4/security/advisories/GHSA-745p-r637-7vvp