CVE-2022-39284
CVSS V2 None
CVSS V3 Medium 4.3
Description
CodeIgniter is a PHP full-stack web framework. In versions prior to 4.2.7 setting `$secure` or `$httponly` value to `true` in `Config\Cookie` is not reflected in `set_cookie()` or `Response::setCookie()`. As a result cookie values are erroneously exposed to scripts. It should be noted that this vulnerability does not affect session cookies. Users are advised to upgrade to v4.2.7 or later. Users unable to upgrade are advised to manually construct their cookies either by setting the options in code or by constructing Cookie objects. Examples of each workaround are available in the linked GHSA.
Overview
- CVE ID
- CVE-2022-39284
- Assigner
- security-advisories@github.com
- Vulnerability Status
- Analyzed
- Published Version
- 2022-10-06T20:15:35
- Last Modified Date
- 2022-10-11T16:26:10
Weakness Enumerations
CPE Configuration (Product)
| CPE | Vulnerable | Operator | Version Start | Version End |
|---|---|---|---|---|
| cpe:2.3:a:codeigniter:codeigniter:*:*:*:*:*:*:*:* | 1 | OR | 4.0.0 | 4.2.7 |
CVSS Version 3
- Version
- 3.1
- Vector String
- CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
- Attack Vector
- NETWORK
- Attack Compatibility
- LOW
- Privileges Required
- LOW
- User Interaction
- NONE
- Scope
- UNCHANGED
- Confidentiality Impact
- LOW
- Availability Impact
- NONE
- Base Score
- 4.3
- Base Severity
- MEDIUM
- Exploitability Score
- 2.8
- Impact Score
- 1.4
References
Sources
| Source Name | Source URL |
|---|---|
| NIST | https://nvd.nist.gov/vuln/detail/CVE-2022-39284 |
| MITRE | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-39284 |
History
| Created | Old Value | New Value | Data Type | Notes |
|---|---|---|---|---|
| 2022-10-06 21:00:13 | Added to TrackCVE | |||
| 2022-12-07 05:39:10 | 2022-10-06T20:15Z | 2022-10-06T20:15:35 | CVE Published Date | updated |
| 2022-12-07 05:39:10 | 2022-10-11T16:26:10 | CVE Modified Date | updated | |
| 2022-12-07 05:39:10 | Analyzed | Vulnerability Status | updated |