CVE-2023-46240: CodeIgniter4 vulnerable to information disclosure when detailed error report is displayed in production environment

October 31, 2023 (updated November 8, 2023)

If an error or exception occurs in CodeIgniter4 v4.4.2 and earlier, a detailed error report is displayed even if in the production environment. As a result, confidential information may be leaked.

References

codeigniter4.github.io/userguide/general/errors.html
github.com/advisories/GHSA-hwxf-qxj7-7rfj
github.com/codeigniter4/CodeIgniter4/commit/423569fc31e29f51635a2e59c89770333f0e7563
github.com/codeigniter4/CodeIgniter4/security/advisories/GHSA-hwxf-qxj7-7rfj

Detect and mitigate CVE-2023-46240 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →