GitHub Advisory DatabaseGHSA-HWXF-QXJ7-7RFJCodeIgniter4 vulnerable to information disclosure when detailed error report is displayed in production environment
7.5 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
6.8 Medium
AI Score
Confidence
High
0.001 Low
EPSS
Percentile
28.1%
Impact
If an error or exception occurs in CodeIgniter4 v4.4.2 and earlier, a detailed error report is displayed even if in the production environment. As a result, confidential information may be leaked.
Patches
Upgrade to v4.4.3 or later. See upgrading guide.
Workarounds
Replace ini_set('display_errors', '0') with ini_set('display_errors', 'Off') in app/Config/Boot/production.php.
For more information
If you have any questions or comments about this advisory:
- Open an issue in codeigniter4/CodeIgniter4
- Email us at SECURITY.md
Affected configurations
| CPE | Name | Operator | Version |
|---|---|---|---|
| codeigniter4/framework | le | 4.4.2 |
References
codeigniter4.github.io/userguide/general/errors.html#error-reporting
github.com/advisories/GHSA-hwxf-qxj7-7rfj
github.com/codeigniter4/CodeIgniter4/commit/423569fc31e29f51635a2e59c89770333f0e7563
github.com/codeigniter4/CodeIgniter4/security/advisories/GHSA-hwxf-qxj7-7rfj
nvd.nist.gov/vuln/detail/CVE-2023-46240
Related
7.5 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
6.8 Medium
AI Score
Confidence
High
0.001 Low
EPSS
Percentile
28.1%