CVE-2023-48707: Cleartext Storage of Sensitive Information in codeigniter4/shield
First published: Thu Nov 23 2023(Updated: )
### Impact **secretKey**, an important key for HMAC SHA256 authentication, was stored in the database in raw form. If a malicious person somehow had access to the data in the database, they could use the key and secretKey for HMAC SHA256 authentication to send requests impersonating that person. ### Patches Upgrade to Shield v1.0.0-beta.8 or later. After upgrading, all existing secret keys must be encrypted. See https://github.com/codeigniter4/shield/blob/develop/UPGRADING.md for details. ### Workarounds None. ### References - https://codeigniter4.github.io/shield/references/authentication/hmac/ ### For more information If you have any questions or comments about this advisory: * Open an issue or discussion in [codeigniter4/shield](https://github.com/codeigniter4/shield) * Email us at [security@codeigniter.com](mailto:security@codeigniter.com)
Credit: security-advisories@github.com security-advisories@github.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| composer/codeigniter4/shield | <1.0.0-beta.8 | 1.0.0-beta.8 |
| CodeIgniter Shield | =1.0.0-beta | |
| CodeIgniter Shield | =1.0.0-beta2 | |
| CodeIgniter Shield | =1.0.0-beta3 | |
| CodeIgniter Shield | =1.0.0-beta4 | |
| CodeIgniter Shield | =1.0.0-beta5 | |
| CodeIgniter Shield | =1.0.0-beta6 | |
| CodeIgniter Shield | =1.0.0-beta7 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
Frequently Asked Questions
What is the severity of CVE-2023-48707?
The severity of CVE-2023-48707 is medium.
How does CVE-2023-48707 impact codeigniter4/shield?
CVE-2023-48707 allows a malicious person with access to the database to impersonate others using the secretKey for HMAC SHA256 authentication.
How do I fix CVE-2023-48707?
To fix CVE-2023-48707, update codeigniter4/shield to version 1.0.0-beta.8.
Where can I find more information about CVE-2023-48707?
You can find more information about CVE-2023-48707 at the following references: [GitHub Advisory](https://github.com/codeigniter4/shield/security/advisories/GHSA-v427-c49j-8w6x), [GitHub Commit](https://github.com/codeigniter4/shield/commit/f77c6ae20275ac1245330a2b9a523bf7e6f6202f), [NVD](https://nvd.nist.gov/vuln/detail/CVE-2023-48707).
What is the CWE ID for CVE-2023-48707?
The CWE ID for CVE-2023-48707 is 312.
- collector/github-advisory-latest
- alias/GHSA-v427-c49j-8w6x
- alias/CVE-2023-48707
- collector/nvd-api
- collector/nvd-cve
- collector/github-advisory
- agent/author
- agent/references
- agent/softwarecombine
- agent/first-publish-date
- agent/type
- collector/mitre-cve
- source/MITRE
- agent/title
- agent/last-modified-date
- agent/severity
- agent/remedy
- agent/weakness
- agent/tags
- agent/description
- agent/event
- agent/trending
- package-manager/composer
- vendor/codeigniter
- canonical/codeigniter shield
- version/codeigniter shield/1.0.0-beta
- version/codeigniter shield/1.0.0-beta2
- version/codeigniter shield/1.0.0-beta3
- version/codeigniter shield/1.0.0-beta4
- version/codeigniter shield/1.0.0-beta5
- version/codeigniter shield/1.0.0-beta6
- version/codeigniter shield/1.0.0-beta7