CVE-2022-46170: 
PHP vulnerability analysis and mitigation

CodeIgniter is a PHP full-stack web framework that was found to contain a session handling vulnerability identified as CVE-2022-46170. The vulnerability was discovered and disclosed on December 22, 2022. This security issue affects applications using multiple session cookies in conjunction with DatabaseHandler, MemcachedHandler, or RedisHandler session handlers in versions prior to 4.2.11 (NVD, GitHub Advisory).

The vulnerability occurs when an application implements multiple session cookies (for example, separate cookies for user pages and admin pages) while using either DatabaseHandler, MemcachedHandler, or RedisHandler as the session handler. The issue stems from improper session management that could allow unauthorized access between different session contexts. The vulnerability has been assigned a CVSS v3.1 score of 9.8 (Critical), with a base vector of CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L (GitHub Advisory).

If exploited, this vulnerability could allow an attacker who has obtained one session cookie (such as one for user pages) to gain unauthorized access to pages that should require a different session cookie (such as those for admin pages). This represents a significant security breach that could lead to unauthorized access to privileged sections of the application (GitHub Advisory).

The primary mitigation is to upgrade to CodeIgniter version 4.2.11 or later, which contains the patch for this vulnerability. For users unable to upgrade immediately, the recommended workaround is to use only one session cookie instead of multiple session cookies. The fix involves changes to how session handlers manage session keys and includes modifications to the DatabaseHandler, MemcachedHandler, and RedisHandler components (GitHub Advisory).