GHSA-745P-R637-7VVP

Vulnerability from github – Published: 2022-10-06 20:01 – Updated: 2022-10-06 20:01
VLAI?
Summary
Codeigniter4's Secure or HttpOnly flag set in Config\Cookie is not reflected in Cookies issued
Details

Impact

Setting $secure or $httponly value to true in Config\Cookie is not reflected in set_cookie() or Response::setCookie().

Note This vulnerability does not affect session cookies.

The following code does not issue a cookie with the secure flag even if you set $secure = true in Config\Cookie.

helper('cookie');

$cookie = [
    'name'  => $name,
    'value' => $value,
];
set_cookie($cookie);
// or
$this->response->setCookie($cookie);

Patches

Upgrade to v4.2.7 or later.

Workarounds

  1. Specify the options explicitly. ```php helper('cookie');

$cookie = [ 'name' => $name, 'value' => $value, 'secure' => true, 'httponly' => true, ]; set_cookie($cookie); // or $this->response->setCookie($cookie); 2. Use Cookie object.php use CodeIgniter\Cookie\Cookie;

helper('cookie');

$cookie = new Cookie($name, $value); set_cookie($cookie); // or $this->response->setCookie($cookie); ```

References

  • https://codeigniter4.github.io/userguide/helpers/cookie_helper.html#set_cookie
  • https://codeigniter4.github.io/userguide/outgoing/response.html#CodeIgniter\HTTP\Response::setCookie

For more information

If you have any questions or comments about this advisory: * Open an issue in codeigniter4/CodeIgniter4 * Email us at SECURITY.md

Severity ?
2.6 (Low)
CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:N/A:N
Show details on source website
To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "codeigniter4/framework"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "4.2.7"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2022-39284"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-665",
      "CWE-732"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2022-10-06T20:01:41Z",
    "nvd_published_at": "2022-10-06T20:15:00Z",
    "severity": "LOW"
  },
  "details": "### Impact\nSetting `$secure` or `$httponly` value to `true` in `Config\\Cookie` is not reflected in `set_cookie()` or `Response::setCookie()`.\n\n\u003e **Note**\n\u003e This vulnerability does not affect session cookies.\n\nThe following code does not issue a cookie with the secure flag even if you set `$secure = true` in `Config\\Cookie`.\n\n```php\nhelper(\u0027cookie\u0027);\n\n$cookie = [\n    \u0027name\u0027  =\u003e $name,\n    \u0027value\u0027 =\u003e $value,\n];\nset_cookie($cookie);\n// or\n$this-\u003eresponse-\u003esetCookie($cookie);\n```\n\n### Patches\nUpgrade to v4.2.7 or later.\n\n### Workarounds\n1. Specify the options explicitly.\n   ```php\n   helper(\u0027cookie\u0027);\n\n   $cookie = [\n       \u0027name\u0027     =\u003e $name,\n       \u0027value\u0027    =\u003e $value,\n       \u0027secure\u0027   =\u003e true,\n       \u0027httponly\u0027 =\u003e true,\n   ];\n   set_cookie($cookie);\n   // or\n   $this-\u003eresponse-\u003esetCookie($cookie);\n   ```\n2. Use Cookie object.\n   ```php\n   use CodeIgniter\\Cookie\\Cookie;\n\n   helper(\u0027cookie\u0027);\n\n   $cookie = new Cookie($name, $value);\n   set_cookie($cookie);\n   // or\n   $this-\u003eresponse-\u003esetCookie($cookie);\n   ```\n\n### References\n- https://codeigniter4.github.io/userguide/helpers/cookie_helper.html#set_cookie\n- https://codeigniter4.github.io/userguide/outgoing/response.html#CodeIgniter\\HTTP\\Response::setCookie\n\n### For more information\nIf you have any questions or comments about this advisory:\n* Open an issue in [codeigniter4/CodeIgniter4](https://github.com/codeigniter4/CodeIgniter4/issues)\n* Email us at [SECURITY.md](https://github.com/codeigniter4/CodeIgniter4/blob/develop/SECURITY.md)\n",
  "id": "GHSA-745p-r637-7vvp",
  "modified": "2022-10-06T20:01:41Z",
  "published": "2022-10-06T20:01:41Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/codeigniter4/CodeIgniter4/security/advisories/GHSA-745p-r637-7vvp"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-39284"
    },
    {
      "type": "WEB",
      "url": "https://github.com/codeigniter4/CodeIgniter4/issues/6540"
    },
    {
      "type": "WEB",
      "url": "https://github.com/codeigniter4/CodeIgniter4/pull/6544"
    },
    {
      "type": "WEB",
      "url": "https://codeigniter4.github.io/userguide/helpers/cookie_helper.html#set_cookie"
    },
    {
      "type": "WEB",
      "url": "https://codeigniter4.github.io/userguide/outgoing/response.html#CodeIgniter%5CHTTP%5CResponse::setCookie"
    },
    {
      "type": "WEB",
      "url": "https://developer.mozilla.org/en-US/docs/Web/HTTP/Cookies#restrict_access_to_cookies"
    },
    {
      "type": "WEB",
      "url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/codeigniter4/framework/CVE-2022-39284.yaml"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/codeigniter4/CodeIgniter4"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Codeigniter4\u0027s Secure or HttpOnly flag set in Config\\Cookie is not reflected in Cookies issued"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.