8.6

CVSS Score

3.1

Basic Information

CVE ID

CVE-2022-46170

GHSA ID

GHSA-6cq5-8cj7-g558

EPSS Score

0.68799%

CWE

CWE-287

Published

12/22/2022

Updated

1/29/2023

KEV Status

Technology

PHP

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2022-46170

CVE-2022-46170:
CodeIgniter4 Potential Session Handlers Vulnerability

Impact

When an application uses (1) multiple session cookies (e.g., one for user pages and one for admin pages) and (2) a session handler is set to DatabaseHandler, MemcachedHandler, or RedisHandler, then if an attacker gets one session cookie (e.g., one for user pages), they may be able to access pages that require another session cookie (e.g., for admin pages).

Patches

Upgrade to version 4.2.11 or later.

Workarounds

Use only one session cookie.

References

https://codeigniter4.github.io/userguide/libraries/sessions.html#session-drivers

For more information

If you have any questions or comments about this advisory:

Open an issue in codeigniter4/CodeIgniter4
Email us at SECURITY.md

(GitHub Advisory)

8.6

CVSS Score

3.1

Basic Information

CVE ID

CVE-2022-46170

GHSA ID

GHSA-6cq5-8cj7-g558

EPSS Score

0.68799%

CWE

CWE-287

Published

12/22/2022

Updated

1/29/2023

KEV Status

Technology

PHP

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
codeigniter4/framework	composer	< 4.2.11	4.2.11

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stemmed from session handlers not including the session cookie name in storage keys. The commit adds sessionCookieName as a prefix to session IDs in database queries (DatabaseHandler) and key prefixes (Memcached/Redis). The original vulnerable functions handled session data without this namespacing, allowing session ID collisions between different cookies. The high confidence comes from direct correlation between the patch changes and the vulnerability description, with explicit modifications to these functions in the provided diffs.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

### Imp**t W**n *n *ppli**tion us*s (*) multipl* s*ssion *ooki*s (*.*., on* *or us*r p***s *n* on* *or **min p***s) *n* (*) * s*ssion **n*l*r is s*t to `**t***s***n*l*r`, `M*m********n*l*r`, or `R**is**n*l*r`, t**n i* *n *tt**k*r **ts on* s*ssion *o

Reasoning

T** vuln*r**ility st*mm** *rom s*ssion **n*l*rs not in*lu*in* t** s*ssion *ooki* n*m* in stor*** k*ys. T** *ommit ***s `s*ssion*ooki*N*m*` *s * pr**ix to s*ssion I*s in **t***s* qu*ri*s (`**t***s***n*l*r`) *n* k*y pr**ix*s (`M*m******/R**is`). T** or

8.6

Basic Information

Concerned about an active attack path?

CVE-2022-46170: CodeIgniter4 Potential Session Handlers Vulnerability

Impact

Patches

Workarounds

References

For more information

8.6

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

CVE-2022-46170:
CodeIgniter4 Potential Session Handlers Vulnerability

Vulnerability Intelligence
Miggo AI