SB2022122233 - Multiple vulnerabilities in CodeIgniter4
Published: December 22, 2022 Updated: May 23, 2026
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 2 vulnerabilities.
1) Improper Authentication (CVE-ID: CVE-2022-46170)
CWE-ID: CWE-287 - Improper Authentication
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:L/SC:N/SI:N/SA:N/E:U/U:Amber
The vulnerability allows a remote attacker to bypass authentication.
The vulnerability exists due to improper authentication in session handlers when handling applications configured with multiple session cookies using the DatabaseHandler, MemcachedHandler, or RedisHandler. A remote attacker can obtain one valid session cookie and use it to access pages that require another session cookie to bypass authentication.
Exploitation requires an application to use multiple session cookies.
2) Insufficient verification of data authenticity (CVE-ID: CVE-2022-23556)
CWE-ID: CWE-345 - Insufficient Verification of Data Authenticity
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:L/VA:L/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to spoof their IP address.
The vulnerability exists due to insufficient verification of data authenticity in the IP address handling logic when determining the client IP address behind a reverse proxy. A remote attacker can supply spoofed proxy-related address information to spoof their IP address.
Exploitation is possible when the server is deployed behind a reverse proxy.
Remediation
Install update from vendor's website.
References
- https://github.com/codeigniter4/CodeIgniter4/security/advisories/GHSA-6cq5-8cj7-g558
- https://codeigniter4.github.io/userguide/libraries/sessions.html#session-drivers
- https://github.com/codeigniter4/CodeIgniter4/security/advisories/GHSA-ghw3-5qvm-3mqc
- https://codeigniter4.github.io/userguide/incoming/request.html#CodeIgniter\HTTP\Request::getIPAddress