CVE-2023-46240 - OpenCVE

CodeIgniter is a PHP full-stack web framework. Prior to CodeIgniter4 version 4.4.3, if an error or exception occurs, a detailed error report is displayed even if in the production environment. As a result, confidential information may be leaked. Version 4.4.3 contains a patch. As a workaround, replace `ini_set('display_errors', '0')` with `ini_set('display_errors', 'Off')` in `app/Config/Boot/production.php`.

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

Vendors & Products
CPE Configurations

Vendors	Products
Codeigniter	Codeigniter

Configuration 1 [-]

cpe:2.3:a:codeigniter:codeigniter:*:*:*:*:*:*:*:*

References

Link	Resource
https://codeigniter4.github.io/userguide/general/errors.html#error-reporting	Product
https://github.com/codeigniter4/CodeIgniter4/commit/423569fc31e29f51635a2e59c89770333f0e7563	Patch
https://github.com/codeigniter4/CodeIgniter4/security/advisories/GHSA-hwxf-qxj7-7rfj	Vendor Advisory

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: GitHub_M

Published: 2023-10-31T15:03:51.798Z

Updated: 2023-10-31T15:03:51.798Z

Reserved: 2023-10-19T20:34:00.947Z

Link: CVE-2023-46240

JSON object: View

NVD Information

Status : Analyzed

Published: 2023-10-31T16:15:09.617

Modified: 2023-11-08T23:43:22.447

Link: CVE-2023-46240

JSON object: View

Redhat Information

No data.

CWE

CWE-209

{"dataType": "CVE_RECORD", "dataVersion": "5.0", "cveMetadata": {"cveId": "CVE-2023-46240", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2023-10-19T20:34:00.947Z", "datePublished": "2023-10-31T15:03:51.798Z", "dateUpdated": "2023-10-31T15:03:51.798Z"}, "containers": {"cna": {"title": "CodeIgniter4 vulnerable to information disclosure when detailed error report is displayed in production environment", "problemTypes": [{"descriptions": [{"cweId": "CWE-209", "lang": "en", "description": "CWE-209: Generation of Error Message Containing Sensitive Information", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/codeigniter4/CodeIgniter4/security/advisories/GHSA-hwxf-qxj7-7rfj", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/codeigniter4/CodeIgniter4/security/advisories/GHSA-hwxf-qxj7-7rfj"}, {"name": "https://github.com/codeigniter4/CodeIgniter4/commit/423569fc31e29f51635a2e59c89770333f0e7563", "tags": ["x_refsource_MISC"], "url": "https://github.com/codeigniter4/CodeIgniter4/commit/423569fc31e29f51635a2e59c89770333f0e7563"}, {"name": "https://codeigniter4.github.io/userguide/general/errors.html#error-reporting", "tags": ["x_refsource_MISC"], "url": "https://codeigniter4.github.io/userguide/general/errors.html#error-reporting"}], "affected": [{"vendor": "codeigniter4", "product": "CodeIgniter4", "versions": [{"version": "< 4.4.3", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2023-10-31T15:03:51.798Z"}, "descriptions": [{"lang": "en", "value": "CodeIgniter is a PHP full-stack web framework. Prior to CodeIgniter4 version 4.4.3, if an error or exception occurs, a detailed error report is displayed even if in the production environment. As a result, confidential information may be leaked. Version 4.4.3 contains a patch. As a workaround, replace `ini_set('display_errors', '0')` with `ini_set('display_errors', 'Off')` in `app/Config/Boot/production.php`."}], "source": {"advisory": "GHSA-hwxf-qxj7-7rfj", "discovery": "UNKNOWN"}}}}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:codeigniter:codeigniter:*:*:*:*:*:*:*:*", "matchCriteriaId": "04B25A7E-3363-492A-A24A-B7D0087E9DAA", "versionEndExcluding": "4.4.3", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "CodeIgniter is a PHP full-stack web framework. Prior to CodeIgniter4 version 4.4.3, if an error or exception occurs, a detailed error report is displayed even if in the production environment. As a result, confidential information may be leaked. Version 4.4.3 contains a patch. As a workaround, replace `ini_set('display_errors', '0')` with `ini_set('display_errors', 'Off')` in `app/Config/Boot/production.php`."}, {"lang": "es", "value": "CodeIgniter es un framework web PHP de pila completa. Antes de CodeIgniter4 versi\u00f3n 4.4.3, si se produc\u00eda un error o una excepci\u00f3n, se mostraba un informe de error detallado incluso en el entorno de producci\u00f3n. Como resultado, se puede filtrar informaci\u00f3n confidencial. La versi\u00f3n 4.4.3 contiene un parche. Como workaround, reemplace `ini_set('display_errors', '0')` con `ini_set('display_errors', 'Off')` en `app/Config/Boot/production.php`."}], "id": "CVE-2023-46240", "lastModified": "2023-11-08T23:43:22.447", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2023-10-31T16:15:09.617", "references": [{"source": "security-advisories@github.com", "tags": ["Product"], "url": "https://codeigniter4.github.io/userguide/general/errors.html#error-reporting"}, {"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/codeigniter4/CodeIgniter4/commit/423569fc31e29f51635a2e59c89770333f0e7563"}, {"source": "security-advisories@github.com", "tags": ["Vendor Advisory"], "url": "https://github.com/codeigniter4/CodeIgniter4/security/advisories/GHSA-hwxf-qxj7-7rfj"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-209"}], "source": "security-advisories@github.com", "type": "Primary"}]}