CVE-2023-27580: 
PHP vulnerability analysis and mitigation

CodeIgniter Shield provides authentication and authorization for the CodeIgniter 4 PHP framework. An improper implementation was found in the password storage process affecting Shield versions prior to v1.0.0-beta.4. All hashed passwords stored in Shield v1.0.0-beta.3 or earlier are easier to crack than expected due to the vulnerability. The issue was discovered and disclosed in March 2023 (GitHub Advisory).

The vulnerability is related to password shucking, where an attacker can strip layers off an updated password hash, removing the benefits of its new password hashing algorithm and reverting it to its weaker algorithm. If an attacker obtains both the user's hashed password from Shield and a SHA-384 hash without salt from somewhere else, they can easily crack the user's password. The vulnerability has a CVSS v3.1 score of 5.9 (Medium) with vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N (NVD).

If exploited, an attacker could potentially crack user passwords more easily than intended, especially if users have reused passwords across different sites. The vulnerability makes the password hashes significantly weaker than they should be, reducing the computational effort required to crack them (OWASP).

Users should upgrade to Shield v1.0.0-beta.4 or later to fix this vulnerability. After upgrading, all users' hashed passwords should be updated and saved to the database. There are no known workarounds for this vulnerability. For systems still using older versions, the passwords should be removed as soon as possible (GitHub Advisory).