CVE-2023-46240

CodeIgniter is a PHP full-stack web framework. Prior to CodeIgniter4 version 4.4.3, if an error or exception occurs, a detailed error report is displayed even if in the production environment. As a result, confidential information may be leaked. Version 4.4.3 contains a patch. As a workaround, replace `ini_set('display_errors', '0')` with `ini_set('display_errors', 'Off')` in `app/Config/Boot/production.php`.

CVSS v3 7.5 HIGH

7.5^/10

CVSS v3 : HIGH

Vector :

Exploitability : 3.9 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://codeigniter4.github.io/userguide/general/errors.html#error-reporting	Product
https://github.com/codeigniter4/CodeIgniter4/commit/423569fc31e29f51635a2e59c89770333f0e7563	Patch
https://github.com/codeigniter4/CodeIgniter4/security/advisories/GHSA-hwxf-qxj7-7rfj	Vendor Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:codeigniter:codeigniter:*:*:*:*:*:*:*:*

History

08 Nov 2023, 23:43

Type	Values Removed	Values Added
First Time		Codeigniter codeigniter Codeigniter
CPE		cpe:2.3:a:codeigniter:codeigniter::::::::
References	~~(MISC) https://codeigniter4.github.io/userguide/general/errors.html#error-reporting -~~	(MISC) https://codeigniter4.github.io/userguide/general/errors.html#error-reporting - Product
References	~~(MISC) https://github.com/codeigniter4/CodeIgniter4/commit/423569fc31e29f51635a2e59c89770333f0e7563 -~~	(MISC) https://github.com/codeigniter4/CodeIgniter4/commit/423569fc31e29f51635a2e59c89770333f0e7563 - Patch
References	~~(MISC) https://github.com/codeigniter4/CodeIgniter4/security/advisories/GHSA-hwxf-qxj7-7rfj -~~	(MISC) https://github.com/codeigniter4/CodeIgniter4/security/advisories/GHSA-hwxf-qxj7-7rfj - Vendor Advisory
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : unknown v3 : 7.5

31 Oct 2023, 17:07

Type	Values Removed	Values Added
New CVE

Information

Published : 2023-10-31 16:15

Updated : 2023-12-10 15:14

NVD link : CVE-2023-46240

Mitre link : CVE-2023-46240

CVE.ORG link : CVE-2023-46240

JSON object : View

Products Affected

codeigniter

codeigniter

CWE

CWE-209

Generation of Error Message Containing Sensitive Information

{"id": "CVE-2023-46240", "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 3.6, "exploitabilityScore": 3.9}, {"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 3.6, "exploitabilityScore": 3.9}]}, "published": "2023-10-31T16:15:09.617", "references": [{"url": "https://codeigniter4.github.io/userguide/general/errors.html#error-reporting", "tags": ["Product"], "source": "security-advisories@github.com"}, {"url": "https://github.com/codeigniter4/CodeIgniter4/commit/423569fc31e29f51635a2e59c89770333f0e7563", "tags": ["Patch"], "source": "security-advisories@github.com"}, {"url": "https://github.com/codeigniter4/CodeIgniter4/security/advisories/GHSA-hwxf-qxj7-7rfj", "tags": ["Vendor Advisory"], "source": "security-advisories@github.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-209"}]}], "descriptions": [{"lang": "en", "value": "CodeIgniter is a PHP full-stack web framework. Prior to CodeIgniter4 version 4.4.3, if an error or exception occurs, a detailed error report is displayed even if in the production environment. As a result, confidential information may be leaked. Version 4.4.3 contains a patch. As a workaround, replace `ini_set('display_errors', '0')` with `ini_set('display_errors', 'Off')` in `app/Config/Boot/production.php`."}, {"lang": "es", "value": "CodeIgniter es un framework web PHP de pila completa. Antes de CodeIgniter4 versi\u00f3n 4.4.3, si se produc\u00eda un error o una excepci\u00f3n, se mostraba un informe de error detallado incluso en el entorno de producci\u00f3n. Como resultado, se puede filtrar informaci\u00f3n confidencial. La versi\u00f3n 4.4.3 contiene un parche. Como workaround, reemplace `ini_set('display_errors', '0')` con `ini_set('display_errors', 'Off')` en `app/Config/Boot/production.php`."}], "lastModified": "2023-11-08T23:43:22.447", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:codeigniter:codeigniter:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "04B25A7E-3363-492A-A24A-B7D0087E9DAA", "versionEndExcluding": "4.4.3"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}