Miggo Logo

CVE-2022-39284: Codeigniter4's Secure or HttpOnly flag set in Config\Cookie is not reflected in Cookies issued

2.6

CVSS Score
3.1

Basic Information

EPSS Score
0.35501%
Published
10/6/2022
Updated
7/12/2023
KEV Status
No
Technology
TechnologyPHP

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:N/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
codeigniter4/frameworkcomposer< 4.2.74.2.7

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from both functions using hardcoded default values (false) for $secure and $httponly parameters instead of respecting the Config\Cookie settings when cookies were created via array parameters. This is confirmed by the documented workaround requiring explicit parameter specification and the patch notes indicating configuration values weren't being properly initialized. Both functions are directly mentioned in the vulnerability description as affected endpoints.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

### Imp**t S*ttin* `$s**ur*` or `$*ttponly` v*lu* to `tru*` in `*on*i*\*ooki*` is not r**l**t** in `s*t_*ooki*()` or `R*spons*::s*t*ooki*()`. > **Not*** > T*is vuln*r**ility *o*s not *****t s*ssion *ooki*s. T** *ollowin* *o** *o*s not issu* * *ooki

Reasoning

T** vuln*r**ility st*ms *rom *ot* `*un*tions` usin* **r**o*** ****ult v*lu*s (**ls*) *or $s**ur* *n* $*ttponly p*r*m*t*rs inst*** o* r*sp**tin* t** `*on*i*\*ooki*` s*ttin*s w**n *ooki*s w*r* *r**t** vi* *rr*y p*r*m*t*rs. T*is is *on*irm** *y t** *o*u