Lucene search

Veracode Vulnerability DatabaseVERACODE:44368

HistoryNov 23, 2023 - 10:51 a.m.

Sensitive Information Stored In Clear Text

2023-11-2310:51:32

Veracode Vulnerability Database

sca.analysiscenter.veracode.com

codeigniter4

sensitive information

disclosure

secretkey

hmac

sha256

authentication

raw format

database

requests

impersonation

6.5 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

7.3 High

AI Score

Confidence

Low

0.0005 Low

EPSS

Percentile

18.1%

JSON

codeigniter4 is vulnerable to Sensitive Information Disclosure. The vulnerability is due to storing the secretKey for HMAC SHA256 authentication in a raw format. An attacker can exploit this flaw if they gain access to the database and then send requests impersonating any person in the system using the secretKey.

CPENameOperatorVersion
codeigniter4/shieldlev1.0.0-beta.7
codeigniter4/shieldlev1.0.0-beta.7

CPE	Name	Operator	Version
	codeigniter4/shield	le	v1.0.0-beta.7
	codeigniter4/shield	le	v1.0.0-beta.7

References

github.com/advisories/GHSA-v427-c49j-8w6x

github.com/codeigniter4/shield/commit/f77c6ae20275ac1245330a2b9a523bf7e6f6202f

github.com/codeigniter4/shield/security/advisories/GHSA-v427-c49j-8w6x

6.5 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

7.3 High

AI Score

Confidence

Low

0.0005 Low

EPSS

Percentile

18.1%

JSON

Related for VERACODE:44368