GHSA-745p-r637-7vvp

Suggest an improvement
Source
https://github.com/advisories/GHSA-745p-r637-7vvp
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/10/GHSA-745p-r637-7vvp/GHSA-745p-r637-7vvp.json
JSON Data
https://api.test.osv.dev/v1/vulns/GHSA-745p-r637-7vvp
Aliases
Published
2022-10-06T20:01:41Z
Modified
2023-12-06T00:47:30.878149Z
Severity
  • 2.6 (Low) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:N/A:N CVSS Calculator
Summary
Codeigniter4's Secure or HttpOnly flag set in Config\Cookie is not reflected in Cookies issued
Details

Impact

Setting $secure or $httponly value to true in Config\Cookie is not reflected in set_cookie() or Response::setCookie().

Note This vulnerability does not affect session cookies.

The following code does not issue a cookie with the secure flag even if you set $secure = true in Config\Cookie.

helper('cookie');

$cookie = [
    'name'  => $name,
    'value' => $value,
];
set_cookie($cookie);
// or
$this->response->setCookie($cookie);

Patches

Upgrade to v4.2.7 or later.

Workarounds

  1. Specify the options explicitly.
    helper('cookie');
    
    $cookie = [
        'name'     => $name,
        'value'    => $value,
        'secure'   => true,
        'httponly' => true,
    ];
    set_cookie($cookie);
    // or
    $this->response->setCookie($cookie);
    
  2. Use Cookie object.
    use CodeIgniter\Cookie\Cookie;
    
    helper('cookie');
    
    $cookie = new Cookie($name, $value);
    set_cookie($cookie);
    // or
    $this->response->setCookie($cookie);
    

References

  • https://codeigniter4.github.io/userguide/helpers/cookiehelper.html#setcookie
  • https://codeigniter4.github.io/userguide/outgoing/response.html#CodeIgniter\HTTP\Response::setCookie

For more information

If you have any questions or comments about this advisory: * Open an issue in codeigniter4/CodeIgniter4 * Email us at SECURITY.md

Database specific
{
    "nvd_published_at": "2022-10-06T20:15:00Z",
    "cwe_ids": [
        "CWE-665",
        "CWE-732"
    ],
    "severity": "LOW",
    "github_reviewed": true,
    "github_reviewed_at": "2022-10-06T20:01:41Z"
}
References

Affected packages

Packagist / codeigniter4/framework

Package

Name
codeigniter4/framework
Purl
pkg:composer/codeigniter4/framework

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
4.2.7

Affected versions

v4.*

v4.0.0-alpha.3
v4.0.0-alpha.4
v4.0.0-alpha.5
v4.0.0-beta.1
v4.0.0-beta.2
v4.0.0-beta.3
v4.0.0-beta.4
v4.0.0-rc.1
v4.0.0-rc.2
v4.0.0-rc.2.1
v4.0.0-rc.3
v4.0.1
v4.0.2
v4.0.3
v4.0.4
v4.0.5
v4.1.0
v4.1.1
v4.1.2
v4.1.3
v4.1.4
v4.1.5
v4.1.6
v4.1.7
v4.1.8
v4.1.9
v4.2.0
v4.2.1
v4.2.2
v4.2.3
v4.2.4
v4.2.5
v4.2.6

4.*

4.0.0-rc.4
4.0.0