Vulnerability Details CVE-2014-8684
CodeIgniter before 3.0 and Kohana 3.2.3 and earlier and 3.3.x through 3.3.2 make it easier for remote attackers to spoof session cookies and consequently conduct PHP object injection attacks by leveraging use of standard string comparison operators to compare cryptographic hashes.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.448
EPSS Ranking 97.4%
CVSS Severity
CVSS v3 Score 9.8
CVSS v2 Score 7.5
References
- http://packetstormsecurity.com/files/130609/Seagate-Business-NAS-Unauthenticated-Remote-Command-Execution.html
- http://seclists.org/fulldisclosure/2014/May/54
- https://github.com/kohana/core/pull/492
- https://scott.arciszewski.me/research/full/php-framework-timing-attacks-object-injection
- http://packetstormsecurity.com/files/130609/Seagate-Business-NAS-Unauthenticated-Remote-Command-Execution.html
- http://seclists.org/fulldisclosure/2014/May/54
- https://github.com/kohana/core/pull/492
- https://scott.arciszewski.me/research/full/php-framework-timing-attacks-object-injection
Products affected by CVE-2014-8684
-
cpe:2.3:a:codeigniter:codeigniter:1.0
-
cpe:2.3:a:codeigniter:codeigniter:1.1
-
cpe:2.3:a:codeigniter:codeigniter:1.2.0
-
cpe:2.3:a:codeigniter:codeigniter:1.3.0
-
cpe:2.3:a:codeigniter:codeigniter:1.3.1
-
cpe:2.3:a:codeigniter:codeigniter:1.3.2
-
cpe:2.3:a:codeigniter:codeigniter:1.3.3
-
cpe:2.3:a:codeigniter:codeigniter:1.4.0
-
cpe:2.3:a:codeigniter:codeigniter:1.4.1
-
cpe:2.3:a:codeigniter:codeigniter:1.5.0
-
cpe:2.3:a:codeigniter:codeigniter:1.5.0.1
-
cpe:2.3:a:codeigniter:codeigniter:1.5.1
-
cpe:2.3:a:codeigniter:codeigniter:1.5.2
-
cpe:2.3:a:codeigniter:codeigniter:1.5.3
-
cpe:2.3:a:codeigniter:codeigniter:1.5.4
-
cpe:2.3:a:codeigniter:codeigniter:1.6.0
-
cpe:2.3:a:codeigniter:codeigniter:1.6.1
-
cpe:2.3:a:codeigniter:codeigniter:1.6.2
-
cpe:2.3:a:codeigniter:codeigniter:1.6.3
-
cpe:2.3:a:codeigniter:codeigniter:1.7.0
-
cpe:2.3:a:codeigniter:codeigniter:1.7.1
-
cpe:2.3:a:codeigniter:codeigniter:1.7.2
-
cpe:2.3:a:codeigniter:codeigniter:2.0.0
-
cpe:2.3:a:codeigniter:codeigniter:2.0.1
-
cpe:2.3:a:codeigniter:codeigniter:2.0.2
-
cpe:2.3:a:codeigniter:codeigniter:2.0.3
-
cpe:2.3:a:codeigniter:codeigniter:2.1.0
-
cpe:2.3:a:codeigniter:codeigniter:2.1.1
-
cpe:2.3:a:codeigniter:codeigniter:2.1.2
-
cpe:2.3:a:codeigniter:codeigniter:2.1.3
-
cpe:2.3:a:codeigniter:codeigniter:2.1.4
-
cpe:2.3:a:codeigniter:codeigniter:2.2.0
-
cpe:2.3:a:codeigniter:codeigniter:2.2.1
-
cpe:2.3:a:codeigniter:codeigniter:2.2.2
-
cpe:2.3:a:codeigniter:codeigniter:2.2.3
-
cpe:2.3:a:codeigniter:codeigniter:2.2.4
-
cpe:2.3:a:codeigniter:codeigniter:2.2.5
-
cpe:2.3:a:codeigniter:codeigniter:2.2.6
-
cpe:2.3:a:kohanaframework:kohana:3.2.3
-
cpe:2.3:a:kohanaframework:kohana:3.3.0
-
cpe:2.3:a:kohanaframework:kohana:3.3.1