CVE-2023-48707 MEDIUM

CVE-2023-48707: Cleartext Storage of Sensitive Information in codeigniter4/shield

Vendor Codeigniter4

Product shield

Weakness CWE-312 · Cleartext storage

Published November 24, 2023

Last update August 2, 2024

View on NVD All CVEs

CVSS base score

5.0/10

Attack vector Network

Attack complexity High

Privileges required High

User interaction None

Confidentiality High

Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:L/A:N

What the vulnerability does

Description

CodeIgniter Shield is an authentication and authorization provider for CodeIgniter 4. The `secretKey` value is an important key for HMAC SHA256 authentication and in affected versions was stored in the database in cleartext form. If a malicious person somehow had access to the data in the database, they could use the key and secretKey for HMAC SHA256 authentication to send requests impersonating that corresponding user. This issue has been addressed in version 1.0.0-beta.8. Users are advised to upgrade. There are no known workarounds for this vulnerability.

Key dates

Disclosure timeline

November 24, 2023 CVE published

August 2, 2024 Record updated