SameSite may allow cross-site request forgery (CSRF) protection to be bypassed
Description
Shield is an authentication and authorization framework for CodeIgniter 4. This vulnerability may allow SameSite Attackers to bypass the CodeIgniter4 CSRF protection mechanism with CodeIgniter Shield. For this attack to succeed, the attacker must have direct (or indirect, e.g., XSS) control over a subdomain site (e.g., https://a.example.com/) of the target site (e.g., http://example.com/). Upgrade to CodeIgniter v4.2.3 or later and Shield v1.0.0-beta.2 or later. As a workaround: set Config\Security::$csrfProtection to 'session,'remove old session data right after login (immediately after ID and password match) and regenerate CSRF token right after login (immediately after ID and password match)
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
codeigniter4/shieldPackagist | >= 1.0.0-beta, < 1.0.0-beta.2 | 1.0.0-beta.2 |
Affected products
3- osv-coords2 versions
< 4.2.3+ 1 more
- (no CPE)range: < 4.2.3
- (no CPE)range: >= 1.0.0-beta, < 1.0.0-beta.2
- Range: > 4.3.2, > v1.0.0-beta.2
Patches
Vulnerability mechanics
References
7- github.com/advisories/GHSA-5hm8-vh6r-2cjqghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2022-35943ghsaADVISORY
- codeigniter4.github.io/userguide/libraries/security.htmghsax_refsource_MISCWEB
- developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie/SameSiteghsax_refsource_MISCWEB
- github.com/codeigniter4/shield/commit/342a368536678621998c3c41d276480cd14ec6c6ghsaWEB
- github.com/codeigniter4/shield/security/advisories/GHSA-5hm8-vh6r-2cjqghsax_refsource_CONFIRMWEB
- jub0bs.com/posts/2021-01-29-great-samesite-confusionghsax_refsource_MISCWEB
News mentions
0No linked articles in our index yet.