Home > Vulnerability Database > CVE-2022-21647

Mend.io Vulnerability Database

CVE-2022-21647

Date: January 4, 2022

CodeIgniter is an open source PHP full-stack web framework. Deserialization of Untrusted Data was found in the "old()" function in CodeIgniter4. Remote attackers may inject auto-loadable arbitrary objects with this vulnerability, and possibly execute existing PHP code on the server. We are aware of a working exploit, which can lead to SQL injection. Users are advised to upgrade to v4.1.6 or later. Users unable to upgrade as advised to not use the "old()" function and form_helper nor "RedirectResponse::withInput()" and "redirect()->withInput()".

Language: PHP

Severity Score

7.7

Related Resources (6)

Url: https://github.com/codeigniter4/CodeIgniter4/commit/ce95ed5765256e2f09f3513e7d42790e0d6948f5

Url: https://github.com/codeigniter4/CodeIgniter4/security/advisories/GHSA-w6jr-wj64-mc9x

Url: https://github.com/FriendsOfPHP/security-advisories/blob/master/codeigniter4/framework/CVE-2022-21647.yaml

Url: https://nvd.nist.gov/vuln/detail/CVE-2022-21647

Url: https://github.com/codeigniter4/CodeIgniter4

Url: https://www.mend.io/vulnerability-database/CVE-2022-21647

Severity Score

7.7

Weakness Type (CWE)

Deserialization of Untrusted Data

CWE-502

CVSS v3.1

Base Score:	7.7
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	HIGH
Privileges Required (PR):	NONE
User Interaction (UI):	NONE
Scope (S):	UNCHANGED
Confidentiality (C):	LOW
Integrity (I):	HIGH
Availability (A):	HIGH

CVSS v2

Base Score:	7.5
Access Vector (AV):	NETWORK
Access Complexity (AC):	LOW
Authentication (AU):	NONE
Confidentiality (C):	PARTIAL
Integrity (I):	PARTIAL
Availability (A):	PARTIAL
Additional information:

Mend.io Vulnerability Database

We found results for “”

CVE-2022-21647

Date: January 4, 2022

Language: PHP

Severity Score

Related Resources (6)

Severity Score

Weakness Type (CWE)

CVSS v3.1

CVSS v2

Do you need more information?