Cyber Resilience

CVE-2022-21647

HighRCE

Published: 04 January 2022

Published
04 January 2022
Modified
21 November 2024
KEV Added
Patch
CVSS Score v3.1 7.7 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:H/A:H
EPSS Score 0.0994 93.2th percentile
Risk Priority 21 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2022-21647 is a high-severity Deserialization of Untrusted Data (CWE-502) vulnerability in Codeigniter Codeigniter. Its CVSS base score is 7.7 (High).

Operationally, ranked in the top 6.8% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

Deeper analysis

CodeIgniter4, an open source PHP full-stack web framework, contains a deserialization of untrusted data flaw in the old() function. The issue, tracked as CVE-2022-21647 and assigned CWE-502, allows remote injection of auto-loadable arbitrary objects that can lead to execution of existing PHP code on the server, including a working exploit path that results in SQL injection. The vulnerability carries a CVSS 3.1 score of 7.7 with network attack vector and high impact on integrity and availability.

An unauthenticated remote attacker can supply crafted input through form helpers or redirect responses that invoke old() or RedirectResponse::withInput(), triggering unsafe deserialization without requiring user interaction or credentials. Successful exploitation enables object injection that an attacker can leverage to execute attacker-controlled code paths already present in the application, potentially compromising database contents via the demonstrated SQL injection.

Advisories from the CodeIgniter4 project recommend immediate upgrade to version 4.1.6 or later. When patching is not feasible, operators are advised to avoid use of the old() function, form_helper, RedirectResponse::withInput(), and redirect()->withInput(). The referenced GitHub security advisory and commit provide the patch details that address the unsafe deserialization.

EU & UK References

Vulnerability details

CodeIgniter is an open source PHP full-stack web framework. Deserialization of Untrusted Data was found in the `old()` function in CodeIgniter4. Remote attackers may inject auto-loadable arbitrary objects with this vulnerability, and possibly execute existing PHP code on the server.…

more

We are aware of a working exploit, which can lead to SQL injection. Users are advised to upgrade to v4.1.6 or later. Users unable to upgrade as advised to not use the `old()` function and form_helper nor `RedirectResponse::withInput()` and `redirect()->withInput()`.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

codeigniter
codeigniter
4.0.0 — 4.1.6

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-502

Penetration testing supplies malicious serialized objects, detecting unsafe deserialization and supporting corrective actions.

addresses: CWE-502

Evaluation of untrusted data handling (deserialization testing) reveals unsafe processing, which the required remediation process addresses.

addresses: CWE-502

Untrusted serialized data can be deserialized and observed inside the chamber, blocking gadget-chain exploitation outside the sandbox.

addresses: CWE-502

Validates or rejects untrusted serialized data before deserialization occurs.

addresses: CWE-502

Identifies and blocks malicious code introduced through deserialization of untrusted data at system boundaries.

addresses: CWE-502

Integrity verification of serialized information can detect tampering before deserialization occurs.

addresses: CWE-502

Provenance of associated data allows detection of untrusted sources before deserialization or processing occurs.

References