CVE-2022-39284: 
PHP vulnerability analysis and mitigation

CodeIgniter, a PHP full-stack web framework, was found to have a security vulnerability (CVE-2022-39284) in versions prior to 4.2.7. The issue involves the $secure or $httponly values set to true in Config\Cookie not being properly reflected in set_cookie() or Response::setCookie() functions, resulting in cookie values being erroneously exposed to scripts. This vulnerability was discovered and disclosed in October 2022, though it notably does not affect session cookies (GitHub Advisory, NVD).

The vulnerability stems from an implementation flaw where the cookie configuration settings in Config\Cookie are not properly applied when creating new cookies. When using the set_cookie() helper function or Response::setCookie() method, the security flags specified in the configuration are ignored, potentially exposing cookie data. The vulnerability has been assigned a CVSS v3.1 Base Score of 4.3 (MEDIUM) by NVD, with a vector string of CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N (NVD).

The primary impact of this vulnerability is that cookies intended to be secure can be exposed to unauthorized access. When the secure flag is not properly set, cookies may be transmitted over insecure HTTP connections, making them vulnerable to interception. Similarly, when the httponly flag is not applied as configured, cookies become accessible to client-side scripts, potentially exposing them to cross-site scripting (XSS) attacks (GitHub Advisory).

Users are advised to upgrade to CodeIgniter version 4.2.7 or later which contains the fix for this vulnerability. For those unable to upgrade immediately, two workarounds are available: 1) Explicitly specify the security options when setting cookies, or 2) Use the Cookie object directly. Example of explicit specification: set_cookie(['name' => $name, 'value' => $value, 'secure' => true, 'httponly' => true]) (GitHub Advisory).