Vulnerability DatabaseCVE-2022-46170
Mend.io Vulnerability Database
The largest open source vulnerability database
What is a Vulnerability ID?
New vulnerability? Tell us about it!
CVE-2022-46170
December 22, 2022
CodeIgniter is a PHP full-stack web framework. When an application uses (1) multiple session cookies (e.g., one for user pages and one for admin pages) and (2) a session handler is set to "DatabaseHandler", "MemcachedHandler", or "RedisHandler", then if an attacker gets one session cookie (e.g., one for user pages), they may be able to access pages that require another session cookie (e.g., for admin pages). This issue has been patched, please upgrade to version 4.2.11 or later. As a workaround, use only one session cookie.
Related ResourcesĀ (7)
https://github.com/codeigniter4/CodeIgniter4
https://github.com/codeigniter4/CodeIgniter4/commit/f9fb6574fbeb5a4aa63f7ea87296523e10db9328
https://codeigniter4.github.io/userguide/libraries/sessions.html#session-drivers
https://github.com/CVEProject/cvelistV5/tree/main/cves/2022/46xxx/CVE-2022-46170.json
https://github.com/FriendsOfPHP/security-advisories/blob/master/codeigniter4/framework/CVE-2022-46170.yaml
https://github.com/codeigniter4/CodeIgniter4/security/advisories/GHSA-6cq5-8cj7-g558
https://nvd.nist.gov/vuln/detail/CVE-2022-46170
Do you need more information?
Contact Us
CVSS v4
Base Score:
8.8
Attack Vector
NETWORK
Attack Complexity
LOW
Attack Requirements
NONE
Privileges Required
NONE
User Interaction
NONE
Vulnerable System Confidentiality
HIGH
Vulnerable System Integrity
LOW
Vulnerable System Availability
LOW
Subsequent System Confidentiality
NONE
Subsequent System Integrity
NONE
Subsequent System Availability
NONE
CVSS v3
Base Score:
8.6
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality
HIGH
Integrity
LOW
Availability
LOW
Weakness Type (CWE)
Improper Authentication
CWE-287
EPSS
Base Score:
0.31