CVE-2022-39284 In earlier versions of CI, setting `$secure` or `$httponly` in `Config\Cookie` isn't reflected in `set_cookie()` or `Response::setCookie()`.
v4.2.7 and later fix this issue by setting these options to `true`. Users are advised to upgrade to v4.2.7 or later. Users unable to upgrade are advised to manually construct their cookies either by setting the options in code or by constructing Cookie objects. Examples of each workaround are available in the linked GHSA. In some cases `$httponly` is not set correctly and it is exposing cookie values to client-side scripts. On the server-side `$secure` is not configured correctly and it is exposing cookie values to client-side scripts. It should be noted that due to the nature of these vulnerabilities, there is no easy way to fix these issues. When upgrading to v4.2.7 or later, these issues can be fixed in one of two ways: By setting `$httponly` or `$secure` in `Config\Cookie` to `true`. By setting `$httponly` or `$secure` in `Config\Cookie` to `false`. Examples of each workaround are available in the linked GHSA.
3.2
.7 and later
If the server-side `$secure` cookie option is set to `false`, then new cookies are constructed with $httponly set to `true`. This way, client-side scripts can't read the cookie values. If the server-side `$secure` cookie option is set to `true`, then new cookies are constructed with both $httponly and $secure set to true.
Timeline
Published on: 10/06/2022 20:15:00 UTC
Last modified on: 10/11/2022 16:26:00 UTC
References
- https://codeigniter4.github.io/userguide/helpers/cookie_helper.html#set_cookie
- https://developer.mozilla.org/en-US/docs/Web/HTTP/Cookies#restrict_access_to_cookies
- https://github.com/codeigniter4/CodeIgniter4/security/advisories/GHSA-745p-r637-7vvp
- https://github.com/codeigniter4/CodeIgniter4/issues/6540
- https://codeigniter4.github.io/userguide/outgoing/response.html#CodeIgniter%5CHTTP%5CResponse::setCookie
- https://github.com/codeigniter4/CodeIgniter4/pull/6544
- https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-39284