SB2022122233 - Multiple vulnerabilities in CodeIgniter4



SB2022122233 - Multiple vulnerabilities in CodeIgniter4

Published: December 22, 2022 Updated: May 23, 2026

Security Bulletin ID SB2022122233
CSH Severity
High
Patch available
YES
Number of vulnerabilities 2
Exploitation vector Remote access
Highest impact Data manipulation

Breakdown by Severity

High 50% Medium 50%
  • Low
  • Medium
  • High
  • Critical

Description

This security bulletin contains information about 2 vulnerabilities.


1) Improper Authentication (CVE-ID: CVE-2022-46170)

CWE-ID: CWE-287 - Improper Authentication

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:L/SC:N/SI:N/SA:N/E:U/U:Amber


The vulnerability allows a remote attacker to bypass authentication.

The vulnerability exists due to improper authentication in session handlers when handling applications configured with multiple session cookies using the DatabaseHandler, MemcachedHandler, or RedisHandler. A remote attacker can obtain one valid session cookie and use it to access pages that require another session cookie to bypass authentication.

Exploitation requires an application to use multiple session cookies.


2) Insufficient verification of data authenticity (CVE-ID: CVE-2022-23556)

CWE-ID: CWE-345 - Insufficient Verification of Data Authenticity

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:L/VA:L/SC:N/SI:N/SA:N/E:U/U:Green


The vulnerability allows a remote attacker to spoof their IP address.

The vulnerability exists due to insufficient verification of data authenticity in the IP address handling logic when determining the client IP address behind a reverse proxy. A remote attacker can supply spoofed proxy-related address information to spoof their IP address.

Exploitation is possible when the server is deployed behind a reverse proxy.


Remediation

Install update from vendor's website.