CVE-2022-21647
published 2022-01-04CVE-2022-21647: CodeIgniter is an open source PHP full-stack web framework. Deserialization of Untrusted Data was found in the `old()` function in CodeIgniter4. Remote…
PriorityP270critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
37.67%
98.3th percentile
CodeIgniter is an open source PHP full-stack web framework. Deserialization of Untrusted Data was found in the `old()` function in CodeIgniter4. Remote attackers may inject auto-loadable arbitrary objects with this vulnerability, and possibly execute existing PHP code on the server. We are aware of a working exploit, which can lead to SQL injection. Users are advised to upgrade to v4.1.6 or later. Users unable to upgrade as advised to not use the `old()` function and form_helper nor `RedirectResponse::withInput()` and `redirect()->withInput()`.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| codeigniter | codeigniter | >= 4.0.0 < 4.1.6 | 4.1.6 |
| codeigniter4 | codeigniter4 | < 4.1.6 | 4.1.6 |
| codeigniter4 | framework | >= 0 < 4.1.6 | 4.1.6 |
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
Deserialization of Untrusted Data in Codeigniter4
ghsa·2022-01-06
CVE-2022-21647 [HIGH] CWE-502 Deserialization of Untrusted Data in Codeigniter4
Deserialization of Untrusted Data in Codeigniter4
### Impact
Deserialization of Untrusted Data was found in the `old()` function in CodeIgniter4.
Remote attackers may inject auto-loadable arbitrary objects with this vulnerability,
and possibly execute existing PHP code on the server.
We are aware of a working exploit, which can lead to SQL injection.
### Patches
Upgrade to v4.1.6 or later.
### Workarounds
Do not use:
- `old()` and form_helper
- `RedirectResponse::withInput()` and `redirect()->withInput()`
### References
- [PHP Object Injection | OWASP](https://owasp.org/www-community/vulnerabilities/PHP_Object_Injection)
### For more information
If you have any questions or comments about this advisory:
* Open an issue in [codeigniter4/CodeIgniter4](https://github.com/codeigniter4/Cod
OSV
Deserialization of Untrusted Data in Codeigniter4
osv·2022-01-06
CVE-2022-21647 [HIGH] Deserialization of Untrusted Data in Codeigniter4
Deserialization of Untrusted Data in Codeigniter4
### Impact
Deserialization of Untrusted Data was found in the `old()` function in CodeIgniter4.
Remote attackers may inject auto-loadable arbitrary objects with this vulnerability,
and possibly execute existing PHP code on the server.
We are aware of a working exploit, which can lead to SQL injection.
### Patches
Upgrade to v4.1.6 or later.
### Workarounds
Do not use:
- `old()` and form_helper
- `RedirectResponse::withInput()` and `redirect()->withInput()`
### References
- [PHP Object Injection | OWASP](https://owasp.org/www-community/vulnerabilities/PHP_Object_Injection)
### For more information
If you have any questions or comments about this advisory:
* Open an issue in [codeigniter4/CodeIgniter4](https://github.com/codeigniter4/Cod
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
https://github.com/codeigniter4/CodeIgniter4/commit/ce95ed5765256e2f09f3513e7d42790e0d6948f5https://github.com/codeigniter4/CodeIgniter4/security/advisories/GHSA-w6jr-wj64-mc9xhttps://github.com/codeigniter4/CodeIgniter4/commit/ce95ed5765256e2f09f3513e7d42790e0d6948f5https://github.com/codeigniter4/CodeIgniter4/security/advisories/GHSA-w6jr-wj64-mc9x
2022-01-04
Published