CVE-2022-35943: Cross-Site Request Forgery (CSRF)
Shield is an authentication and authorization framework for CodeIgniter 4. This vulnerability may allow SameSite Attackers to bypass the CodeIgniter4 CSRF protection mechanism with CodeIgniter Shield. For this attack to succeed, the attacker must have direct (or indirect, e.g., XSS) control over a subdomain site (e.g., https://a.example.com/
) of the target site (e.g., http://example.com/
). Upgrade to CodeIgniter v4.2.3 or later and Shield v1.0.0-beta.2 or later. As a workaround: set Config\Security::$csrfProtection
to 'session,'
remove old session data right after login (immediately after ID and password match) and regenerate CSRF token right after login (immediately after ID and password match)
References
- codeigniter4.github.io/userguide/libraries/security.htm
- developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie/SameSite
- github.com/advisories/GHSA-5hm8-vh6r-2cjq
- github.com/codeigniter4/shield/commit/342a368536678621998c3c41d276480cd14ec6c6
- github.com/codeigniter4/shield/security/advisories/GHSA-5hm8-vh6r-2cjq
- jub0bs.com/posts/2021-01-29-great-samesite-confusion
- nvd.nist.gov/vuln/detail/CVE-2022-35943
Detect and mitigate CVE-2022-35943 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →