5.9

CVSS Score

3.1

Basic Information

CVE ID

CVE-2023-27580

GHSA ID

GHSA-c5vj-f36q-p9vg

EPSS Score

0.27712%

CWE

CWE-916

Published

3/13/2023

Updated

3/23/2023

KEV Status

Technology

PHP

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2023-27580

CVE-2023-27580: Password Shucking Vulnerability

Impact

An improper implementation was found in the password storage process.

All hashed passwords stored in Shield v1.0.0-beta.3 or earlier are easier to crack than expected due to the vulnerability. Therefore, they should be removed as soon as possible.

If an attacker gets (1) the user's hashed password by Shield, and (2) the hashed password (SHA-384 hash without salt) from somewhere, the attacker may easily crack the user's password.

Patches

Upgrade to Shield v1.0.0-beta.4 or later.

After upgrading, all users’ hashed passwords should be updated (saved to the database). See https://github.com/codeigniter4/shield/blob/develop/UPGRADING.md for details.

Workarounds

None.

References

https://cheatsheetseries.owasp.org/cheatsheets/Password_Storage_Cheat_Sheet.html#pre-hashing-passwords
https://blog.ircmaxell.com/2015/03/security-issue-combining-bcrypt-with.html
https://www.scottbrady91.com/authentication/beware-of-password-shucking

For more information

If you have any questions or comments about this advisory:

Open an issue or discussion in codeigniter4/shield
Email us at security@codeigniter.com

(GitHub Advisory)

5.9

CVSS Score

3.1

Basic Information

CVE ID

CVE-2023-27580

GHSA ID

GHSA-c5vj-f36q-p9vg

EPSS Score

0.27712%

CWE

CWE-916

Published

3/13/2023

Updated

3/23/2023

KEV Status

Technology

PHP

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
codeigniter4/shield	composer	< 1.0.0-beta.4	1.0.0-beta.4

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from using SHA-384 pre-hashing without salt before bcrypt, as shown in the commit diff where these functions were replaced with direct password_hash/password_verify. The deprecated hashDanger() and verifyDanger() methods in the patched code represent the old vulnerable implementation. This implementation allowed attackers to exploit externally leaked SHA-384 hashes to bypass bcrypt's protection through password shucking, as described in the referenced security advisories and blog posts.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

### Imp**t *n improp*r impl*m*nt*tion w*s *oun* in t** p*sswor* stor*** pro**ss. *ll **s*** p*sswor*s stor** in S*i*l* v*.*.*-**t*.* or **rli*r *r* **si*r to *r**k t**n *xp**t** *u* to t** vuln*r**ility. T**r**or*, t**y s*oul* ** r*mov** *s soon *s

Reasoning

T** vuln*r**ility st*ms *rom usin* S**-*** pr*-**s*in* wit*out s*lt ***or* **rypt, *s s*own in t** *ommit *i** w**r* t**s* *un*tions w*r* r*pl**** wit* *ir**t p*sswor*_**s*/p*sswor*_v*ri*y. T** **pr***t** **s***n**r() *n* v*ri*y**n**r() m*t*o*s in t*

5.9

Basic Information

Concerned about an active attack path?

CVE-2023-27580: Password Shucking Vulnerability

Impact

Patches

Workarounds

References

For more information

5.9

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI