GMS-2023-4599: Insertion of Sensitive Information into Log

November 23, 2023

Impact

If successful login attempts are recorded, the raw tokens are stored in the log table. If a malicious person somehow views the data in the log table, he or she can obtain a raw token, which can then be used to send a request with that user’s authority.

When you (1) use the following authentiactors,

AccessTokens (tokens)
JWT (jwt)
HmacSha256 (hmac)

and you (2) log successful login attempts, the raw tokens are stored.

Patches

Upgrade to Shield v1.0.0-beta.8 or later.

Workarounds

Disable logging for successful login attempts by the configuration files.

AccessTokens or HmacSha256
- Set Config\AuthToken::$recordLoginAttempt to Auth::RECORD_LOGIN_ATTEMPT_FAILURE or Auth::RECORD_LOGIN_ATTEMPT_NONE
JWT
- Set Config\AuthJWT::$recordLoginAttempt to Auth::RECORD_LOGIN_ATTEMPT_FAILURE or Auth::RECORD_LOGIN_ATTEMPT_NONE

References

https://codeigniter4.github.io/shield/getting_started/authenticators/

For more information

If you have any questions or comments about this advisory:

Open an issue or discussion in codeigniter4/shield
Email us at security@codeigniter.com

References

Detect and mitigate GMS-2023-4599 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →