CodeIgniter4 vulnerable to information disclosure when detailed error report is displayed in production environment
CVE-2023-46240

7.5HIGH

Key Information:

Vendor

Codeigniter4

Status
Codeigniter4
Vendor
CVE Published:
31 October 2023

What is CVE-2023-46240?

The CodeIgniter framework has a vulnerability that causes detailed error reports to be displayed when exceptions occur, even in production environments. This behavior can inadvertently leak sensitive information, such as database credentials and paths, potentially compromising application security. The issue is present in all versions prior to CodeIgniter 4.4.3. Users are advised to update to this latest version or apply the workaround by modifying the error display settings in the configuration files.

Affected Version(s)

CodeIgniter4 < 4.4.3

References

https://github.com/codeigniter4/CodeIgniter4/security/adv...
x_refsource_CONFIRM
https://github.com/codeigniter4/CodeIgniter4/commit/42356...
x_refsource_MISC
https://codeigniter4.github.io/userguide/general/errors.h...
x_refsource_MISC

CVSS V3.1

Score:
7.5
Severity:
HIGH
Confidentiality:
High
Integrity:
None
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.