First published: Thu Nov 23 2023(Updated: )
CodeIgniter Shield is an authentication and authorization provider for CodeIgniter 4. The `secretKey` value is an important key for HMAC SHA256 authentication and in affected versions was stored in the database in cleartext form. If a malicious person somehow had access to the data in the database, they could use the key and secretKey for HMAC SHA256 authentication to send requests impersonating that corresponding user. This issue has been addressed in version 1.0.0-beta.8. Users are advised to upgrade. There are no known workarounds for this vulnerability.
Credit: security-advisories@github.com security-advisories@github.com
Affected Software | Affected Version | How to fix |
---|---|---|
composer/codeigniter4/shield | <1.0.0-beta.8 | 1.0.0-beta.8 |
CodeIgniter Shield | =1.0.0-beta | |
CodeIgniter Shield | =1.0.0-beta2 | |
CodeIgniter Shield | =1.0.0-beta3 | |
CodeIgniter Shield | =1.0.0-beta4 | |
CodeIgniter Shield | =1.0.0-beta5 | |
CodeIgniter Shield | =1.0.0-beta6 | |
CodeIgniter Shield | =1.0.0-beta7 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
The severity of CVE-2023-48707 is medium.
CVE-2023-48707 allows a malicious person with access to the database to impersonate others using the secretKey for HMAC SHA256 authentication.
To fix CVE-2023-48707, update codeigniter4/shield to version 1.0.0-beta.8.
You can find more information about CVE-2023-48707 at the following references: [GitHub Advisory](https://github.com/codeigniter4/shield/security/advisories/GHSA-v427-c49j-8w6x), [GitHub Commit](https://github.com/codeigniter4/shield/commit/f77c6ae20275ac1245330a2b9a523bf7e6f6202f), [NVD](https://nvd.nist.gov/vuln/detail/CVE-2023-48707).
The CWE ID for CVE-2023-48707 is 312.