CVE-2023-48707

EUVD-2023-3035
CodeIgniter Shield is an authentication and authorization provider for CodeIgniter 4. The `secretKey` value is an important key for HMAC SHA256 authentication and in affected versions was stored in the database in cleartext form. If a malicious person somehow had access to the data in the database, they could use the key and secretKey for HMAC SHA256 authentication to send requests impersonating that corresponding user. This issue has been addressed in version 1.0.0-beta.8. Users are advised to upgrade. There are no known workarounds for this vulnerability.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
5 MEDIUM
NETWORK
HIGH
HIGH
CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:L/A:N
GitHub_MCNA
5 MEDIUM
NETWORK
HIGH
HIGH
CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:L/A:N
Base Score
CVSS 3.x
EPSS Score
Percentile: 18%
Affected Products (NVD)
VendorProductVersion
codeignitershield
1.0.0:beta
codeignitershield
1.0.0:beta2
codeignitershield
1.0.0:beta3
codeignitershield
1.0.0:beta4
codeignitershield
1.0.0:beta5
codeignitershield
1.0.0:beta6
codeignitershield
1.0.0:beta7
𝑥
= Vulnerable software versions
Common Weakness Enumeration
References
https://github.com/codeigniter4/shield/commit/f77c6ae20275ac1245330a2b9a523bf7e6f6202f
https://github.com/codeigniter4/shield/security/advisories/GHSA-v427-c49j-8w6x
https://github.com/codeigniter4/shield/commit/f77c6ae20275ac1245330a2b9a523bf7e6f6202f
https://github.com/codeigniter4/shield/security/advisories/GHSA-v427-c49j-8w6x