Critical severity9.8NVD Advisory· Published Sep 19, 2017· Updated May 13, 2026

CVE-2014-8684

Description

CodeIgniter before 3.0 and Kohana 3.2.3 and earlier and 3.3.x through 3.3.2 make it easier for remote attackers to spoof session cookies and consequently conduct PHP object injection attacks by leveraging use of standard string comparison operators to compare cryptographic hashes.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
codeigniter/frameworkPackagist	< 3.0.0	3.0.0
kohana/corePackagist	< 3.3.3	3.3.3

Affected products

Codeigniter/Codeigniter
cpe:2.3:a:codeigniter:codeigniter:*:*:*:*:*:*:*:*
Range: <=2.2.6
Kohanaframework/Kohana3 versions
cpe:2.3:a:kohanaframework:kohana:3.2.3:*:*:*:*:*:*:*+ 2 more
- cpe:2.3:a:kohanaframework:kohana:3.2.3:*:*:*:*:*:*:*
- cpe:2.3:a:kohanaframework:kohana:3.3.0:*:*:*:*:*:*:*
- cpe:2.3:a:kohanaframework:kohana:3.3.1:*:*:*:*:*:*:*

Patches

66b409a6da29

Merge pull request #492 from sarciszewski/3.3/develop

https://github.com/kohana/coreWoody GilkMay 13, 2014via ghsa

commit

2 files changed · +23 −2

classes/Kohana/Cookie.php+1 −1 modified

@@ -71,7 +71,7 @@ public static function get($key, $default = NULL)
 			// Separate the salt and the value
 			list ($hash, $value) = explode('~', $cookie, 2);
 
-			if (Cookie::salt($key, $value) === $hash)
+			if (Security::slow_equals(Cookie::salt($key, $value), $hash))
 			{
 				// Cookie signature is valid
 				return $value;

classes/Kohana/Security.php+22 −1 modified

@@ -81,8 +81,29 @@ public static function token($new = FALSE)
 	 */
 	public static function check($token)
 	{
-		return Security::token() === $token;
+		return Security::slow_equals(Security::token(), $token);
 	}
+	
+	
+	
+	/**
+	 * Compare two hashes in a time-invariant manner.
+	 * Prevents cryptographic side-channel attacks (timing attacks, specifically)
+	 * 
+	 * @param string $a cryptographic hash
+	 * @param string $b cryptographic hash
+	 * @return boolean
+	 */
+	public static function slow_equals($a, $b) 
+	{
+		$diff = strlen($a) ^ strlen($b);
+		for($i = 0; $i < strlen($a) AND $i < strlen($b); $i++)
+		{
+			$diff |= ord($a[$i]) ^ ord($b[$i]);
+		}
+		return $diff === 0; 
+	}
+
 
 	/**
 	 * Remove image tags from a string.

Vulnerability mechanics

Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

packetstormsecurity.com/files/130609/Seagate-Business-NAS-Unauthenticated-Remote-Command-Execution.htmlnvdThird Party AdvisoryVDB EntryWEB
seclists.org/fulldisclosure/2014/May/54nvdMailing ListThird Party AdvisoryWEB
github.com/advisories/GHSA-w9ph-q4h9-rwq6ghsaADVISORY
github.com/kohana/core/pull/492nvdThird Party AdvisoryWEB
nvd.nist.gov/vuln/detail/CVE-2014-8684ghsaADVISORY
scott.arciszewski.me/research/full/php-framework-timing-attacks-object-injectionnvdThird Party Advisory
github.com/bcit-ci/CodeIgniter/blob/2.2.6/system/libraries/Session.phpghsaWEB
github.com/kohana/core/commit/66b409a6da2960130888989534ff1799532b8f32ghsaWEB
web.archive.org/web/20140802041151/https://scott.arciszewski.me/research/full/php-framework-timing-attacks-object-injectionghsaWEB

News mentions

No linked articles in our index yet.

cvss	0.637
epss	0.036
exploit	0.030
kev	0.000
patch	-0.070
ransomware	0.000