CVE-2023-27580 : CodeIgniter Shield provides authentication and authorization for the CodeIgniter

CodeIgniter Shield provides authentication and authorization for the CodeIgniter 4 PHP framework. An improper implementation was found in the password storage process. All hashed passwords stored in Shield v1.0.0-beta.3 or earlier are easier to crack than expected due to the vulnerability. Therefore, they should be removed as soon as possible. If an attacker gets (1) the user's hashed password by Shield, and (2) the hashed password (SHA-384 hash without salt) from somewhere, the attacker may easily crack the user's password. Upgrade to Shield v1.0.0-beta.4 or later to fix this issue. After upgrading, all users’ hashed passwords should be updated (saved to the database). There are no known workarounds.

Published 2023-03-13 18:15:13

Updated 2023-03-23 15:13:04

Source GitHub, Inc.

View at NVD, CVE.org

Products affected by CVE-2023-27580

Codeigniter » Shield » Version: 1.0.0 Update Beta
cpe:2.3:a:codeigniter:shield:1.0.0:beta:*:*:*:*:*:*
Matching versions
Codeigniter » Shield » Version: 1.0.0 Update Beta3
cpe:2.3:a:codeigniter:shield:1.0.0:beta3:*:*:*:*:*:*
Matching versions
Codeigniter » Shield » Version: 1.0.0 Update Beta2
cpe:2.3:a:codeigniter:shield:1.0.0:beta2:*:*:*:*:*:*
Matching versions

Exploit prediction scoring system (EPSS) score for CVE-2023-27580

EPSS FAQ

0.10%

Probability of exploitation activity in the next 30 days EPSS Score History

~ 28 %

Percentile, the proportion of vulnerabilities that are scored at or less

CVSS scores for CVE-2023-27580

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source
5.9	MEDIUM	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N	2.2	3.6	NIST
Attack Vector: Network Attack Complexity: High Privileges Required: None User Interaction: None Scope: Unchanged Confidentiality: High Integrity: None Availability: None
7.5	HIGH	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N	3.9	3.6	GitHub, Inc.
Attack Vector: Network Attack Complexity: Low Privileges Required: None User Interaction: None Scope: Unchanged Confidentiality: High Integrity: None Availability: None

CWE ids for CVE-2023-27580

CWE-916 Use of Password Hash With Insufficient Computational Effort

The product generates a hash for a password, but it uses a scheme that does not provide a sufficient level of computational effort that would make password cracking attacks infeasible or expensive.

Assigned by: security-advisories@github.com (Primary)

References for CVE-2023-27580

https://cheatsheetseries.owasp.org/cheatsheets/Password_Storage_Cheat_Sheet.html#pre-hashing-passwords

Password Storage - OWASP Cheat Sheet Series
Not Applicable
https://blog.ircmaxell.com/2015/03/security-issue-combining-bcrypt-with.html

Security Issue: Combining Bcrypt With Other Hash Functions | ircmaxell's Blog
Third Party Advisory
https://github.com/codeigniter4/shield/blob/develop/UPGRADING.md

shield/UPGRADING.md at develop · codeigniter4/shield · GitHub
Vendor Advisory
https://www.scottbrady91.com/authentication/beware-of-password-shucking

Beware of Password Shucking
Third Party Advisory
https://github.com/codeigniter4/shield/commit/ea9688dd01d100193d834117dbfc2cfabcf9ea0b

Merge pull request from GHSA-c5vj-f36q-p9vg · codeigniter4/shield@ea9688d · GitHub
Patch
https://github.com/codeigniter4/shield/security/advisories/GHSA-c5vj-f36q-p9vg

Password Shucking Vulnerability · Advisory · codeigniter4/shield · GitHub
Vendor Advisory

Jump to

Vulnerability Details : CVE-2023-27580

Products affected by CVE-2023-27580

Exploit prediction scoring system (EPSS) score for CVE-2023-27580

CVSS scores for CVE-2023-27580

CWE ids for CVE-2023-27580

References for CVE-2023-27580