CVE-2023-46240 - OpenCVE

CodeIgniter is a PHP full-stack web framework. Prior to CodeIgniter4 version 4.4.3, if an error or exception occurs, a detailed error report is displayed even if in the production environment. As a result, confidential information may be leaked. Version 4.4.3 contains a patch. As a workaround, replace `ini_set('display_errors', '0')` with `ini_set('display_errors', 'Off')` in `app/Config/Boot/production.php`.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Codeigniter	Codeigniter

Configuration 1 [-]

cpe:2.3:a:codeigniter:codeigniter:*:*:*:*:*:*:*:*

No data.

References

Link	Providers
https://codeigniter4.github.io/userguide/general/errors.html#error-reporting
https://github.com/codeigniter4/CodeIgniter4/commit/423569fc31e29f51635a2e59c89770333f0e7563
https://github.com/codeigniter4/CodeIgniter4/security/advisories/GHSA-hwxf-qxj7-7rfj

History

No history.

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2023-10-31T15:03:51.798Z

Updated: 2024-09-05T17:36:02.600Z

Reserved: 2023-10-19T20:34:00.947Z

Link: CVE-2023-46240

Vulnrichment

Updated: 2024-08-02T20:37:40.233Z

NVD

Status : Analyzed

Published: 2023-10-31T16:15:09.617

Modified: 2023-11-08T23:43:22.447

Link: CVE-2023-46240

Redhat

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2023-46240", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2023-10-19T20:34:00.947Z", "datePublished": "2023-10-31T15:03:51.798Z", "dateUpdated": "2024-09-05T17:36:02.600Z"}, "containers": {"cna": {"title": "CodeIgniter4 vulnerable to information disclosure when detailed error report is displayed in production environment", "problemTypes": [{"descriptions": [{"cweId": "CWE-209", "lang": "en", "description": "CWE-209: Generation of Error Message Containing Sensitive Information", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/codeigniter4/CodeIgniter4/security/advisories/GHSA-hwxf-qxj7-7rfj", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/codeigniter4/CodeIgniter4/security/advisories/GHSA-hwxf-qxj7-7rfj"}, {"name": "https://github.com/codeigniter4/CodeIgniter4/commit/423569fc31e29f51635a2e59c89770333f0e7563", "tags": ["x_refsource_MISC"], "url": "https://github.com/codeigniter4/CodeIgniter4/commit/423569fc31e29f51635a2e59c89770333f0e7563"}, {"name": "https://codeigniter4.github.io/userguide/general/errors.html#error-reporting", "tags": ["x_refsource_MISC"], "url": "https://codeigniter4.github.io/userguide/general/errors.html#error-reporting"}], "affected": [{"vendor": "codeigniter4", "product": "CodeIgniter4", "versions": [{"version": "< 4.4.3", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2023-10-31T15:03:51.798Z"}, "descriptions": [{"lang": "en", "value": "CodeIgniter is a PHP full-stack web framework. Prior to CodeIgniter4 version 4.4.3, if an error or exception occurs, a detailed error report is displayed even if in the production environment. As a result, confidential information may be leaked. Version 4.4.3 contains a patch. As a workaround, replace `ini_set('display_errors', '0')` with `ini_set('display_errors', 'Off')` in `app/Config/Boot/production.php`."}], "source": {"advisory": "GHSA-hwxf-qxj7-7rfj", "discovery": "UNKNOWN"}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T20:37:40.233Z"}, "title": "CVE Program Container", "references": [{"name": "https://github.com/codeigniter4/CodeIgniter4/security/advisories/GHSA-hwxf-qxj7-7rfj", "tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://github.com/codeigniter4/CodeIgniter4/security/advisories/GHSA-hwxf-qxj7-7rfj"}, {"name": "https://github.com/codeigniter4/CodeIgniter4/commit/423569fc31e29f51635a2e59c89770333f0e7563", "tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/codeigniter4/CodeIgniter4/commit/423569fc31e29f51635a2e59c89770333f0e7563"}, {"name": "https://codeigniter4.github.io/userguide/general/errors.html#error-reporting", "tags": ["x_refsource_MISC", "x_transferred"], "url": "https://codeigniter4.github.io/userguide/general/errors.html#error-reporting"}]}, {"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2024-09-05T17:35:16.659348Z", "id": "CVE-2023-46240", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-09-05T17:36:02.600Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://github.com/codeigniter4/CodeIgniter4/security/advisories/GHSA-hwxf-qxj7-7rfj", "name": "https://github.com/codeigniter4/CodeIgniter4/security/advisories/GHSA-hwxf-qxj7-7rfj", "tags": ["x_refsource_CONFIRM", "x_transferred"]}, {"url": "https://github.com/codeigniter4/CodeIgniter4/commit/423569fc31e29f51635a2e59c89770333f0e7563", "name": "https://github.com/codeigniter4/CodeIgniter4/commit/423569fc31e29f51635a2e59c89770333f0e7563", "tags": ["x_refsource_MISC", "x_transferred"]}, {"url": "https://codeigniter4.github.io/userguide/general/errors.html#error-reporting", "name": "https://codeigniter4.github.io/userguide/general/errors.html#error-reporting", "tags": ["x_refsource_MISC", "x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T20:37:40.233Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2023-46240", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-09-05T17:35:16.659348Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-09-05T17:35:56.852Z"}}], "cna": {"title": "CodeIgniter4 vulnerable to information disclosure when detailed error report is displayed in production environment", "source": {"advisory": "GHSA-hwxf-qxj7-7rfj", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "codeigniter4", "product": "CodeIgniter4", "versions": [{"status": "affected", "version": "< 4.4.3"}]}], "references": [{"url": "https://github.com/codeigniter4/CodeIgniter4/security/advisories/GHSA-hwxf-qxj7-7rfj", "name": "https://github.com/codeigniter4/CodeIgniter4/security/advisories/GHSA-hwxf-qxj7-7rfj", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/codeigniter4/CodeIgniter4/commit/423569fc31e29f51635a2e59c89770333f0e7563", "name": "https://github.com/codeigniter4/CodeIgniter4/commit/423569fc31e29f51635a2e59c89770333f0e7563", "tags": ["x_refsource_MISC"]}, {"url": "https://codeigniter4.github.io/userguide/general/errors.html#error-reporting", "name": "https://codeigniter4.github.io/userguide/general/errors.html#error-reporting", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "CodeIgniter is a PHP full-stack web framework. Prior to CodeIgniter4 version 4.4.3, if an error or exception occurs, a detailed error report is displayed even if in the production environment. As a result, confidential information may be leaked. Version 4.4.3 contains a patch. As a workaround, replace `ini_set('display_errors', '0')` with `ini_set('display_errors', 'Off')` in `app/Config/Boot/production.php`."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-209", "description": "CWE-209: Generation of Error Message Containing Sensitive Information"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2023-10-31T15:03:51.798Z"}}}, "cveMetadata": {"cveId": "CVE-2023-46240", "state": "PUBLISHED", "dateUpdated": "2024-09-05T17:36:02.600Z", "dateReserved": "2023-10-19T20:34:00.947Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2023-10-31T15:03:51.798Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:codeigniter:codeigniter:*:*:*:*:*:*:*:*", "matchCriteriaId": "04B25A7E-3363-492A-A24A-B7D0087E9DAA", "versionEndExcluding": "4.4.3", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "CodeIgniter is a PHP full-stack web framework. Prior to CodeIgniter4 version 4.4.3, if an error or exception occurs, a detailed error report is displayed even if in the production environment. As a result, confidential information may be leaked. Version 4.4.3 contains a patch. As a workaround, replace `ini_set('display_errors', '0')` with `ini_set('display_errors', 'Off')` in `app/Config/Boot/production.php`."}, {"lang": "es", "value": "CodeIgniter es un framework web PHP de pila completa. Antes de CodeIgniter4 versi\u00f3n 4.4.3, si se produc\u00eda un error o una excepci\u00f3n, se mostraba un informe de error detallado incluso en el entorno de producci\u00f3n. Como resultado, se puede filtrar informaci\u00f3n confidencial. La versi\u00f3n 4.4.3 contiene un parche. Como workaround, reemplace `ini_set('display_errors', '0')` con `ini_set('display_errors', 'Off')` en `app/Config/Boot/production.php`."}], "id": "CVE-2023-46240", "lastModified": "2023-11-08T23:43:22.447", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2023-10-31T16:15:09.617", "references": [{"source": "security-advisories@github.com", "tags": ["Product"], "url": "https://codeigniter4.github.io/userguide/general/errors.html#error-reporting"}, {"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/codeigniter4/CodeIgniter4/commit/423569fc31e29f51635a2e59c89770333f0e7563"}, {"source": "security-advisories@github.com", "tags": ["Vendor Advisory"], "url": "https://github.com/codeigniter4/CodeIgniter4/security/advisories/GHSA-hwxf-qxj7-7rfj"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-209"}], "source": "security-advisories@github.com", "type": "Primary"}]}