CVE-2023-48707: 
PHP vulnerability analysis and mitigation

CodeIgniter Shield, an authentication and authorization provider for CodeIgniter 4, was found to have a vulnerability (CVE-2023-48707) where the secretKey value, which is crucial for HMAC SHA256 authentication, was stored in cleartext form in the database. This vulnerability was discovered and disclosed on November 24, 2023, affecting versions prior to 1.0.0-beta.8. The issue has been patched in version 1.0.0-beta.8 (GitHub Advisory).

The vulnerability stems from the improper storage of HMAC SHA256 authentication keys in the database. The secretKey, which is used for HMAC SHA256 authentication, was stored in cleartext form instead of being encrypted. The vulnerability has been assigned a CVSS v3.1 base score of 6.5 MEDIUM by NVD, with a vector string of CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N. The issue is classified under CWE-312 (Cleartext Storage of Sensitive Information) (NVD).

If a malicious actor gains access to the database, they could extract the stored secretKey and use it in combination with the key to impersonate users by sending authenticated requests on their behalf. This could lead to unauthorized access and potential account compromise (GitHub Advisory).

Users are strongly advised to upgrade to Shield version 1.0.0-beta.8 or later. After upgrading, it is necessary to encrypt all existing secret keys. The patch implements proper encryption for the secretKey storage. There are no known workarounds for this vulnerability other than upgrading to the patched version (GitHub Advisory).