CVE-2022-21647
Published: 04 January 2022
Summary
CVE-2022-21647 is a high-severity Deserialization of Untrusted Data (CWE-502) vulnerability in Codeigniter Codeigniter. Its CVSS base score is 7.7 (High).
Operationally, ranked in the top 6.8% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
Deeper analysis
CodeIgniter4, an open source PHP full-stack web framework, contains a deserialization of untrusted data flaw in the old() function. The issue, tracked as CVE-2022-21647 and assigned CWE-502, allows remote injection of auto-loadable arbitrary objects that can lead to execution of existing PHP code on the server, including a working exploit path that results in SQL injection. The vulnerability carries a CVSS 3.1 score of 7.7 with network attack vector and high impact on integrity and availability.
An unauthenticated remote attacker can supply crafted input through form helpers or redirect responses that invoke old() or RedirectResponse::withInput(), triggering unsafe deserialization without requiring user interaction or credentials. Successful exploitation enables object injection that an attacker can leverage to execute attacker-controlled code paths already present in the application, potentially compromising database contents via the demonstrated SQL injection.
Advisories from the CodeIgniter4 project recommend immediate upgrade to version 4.1.6 or later. When patching is not feasible, operators are advised to avoid use of the old() function, form_helper, RedirectResponse::withInput(), and redirect()->withInput(). The referenced GitHub security advisory and commit provide the patch details that address the unsafe deserialization.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2022-0719
Vulnerability details
CodeIgniter is an open source PHP full-stack web framework. Deserialization of Untrusted Data was found in the `old()` function in CodeIgniter4. Remote attackers may inject auto-loadable arbitrary objects with this vulnerability, and possibly execute existing PHP code on the server.…
more
We are aware of a working exploit, which can lead to SQL injection. Users are advised to upgrade to v4.1.6 or later. Users unable to upgrade as advised to not use the `old()` function and form_helper nor `RedirectResponse::withInput()` and `redirect()->withInput()`.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Penetration testing supplies malicious serialized objects, detecting unsafe deserialization and supporting corrective actions.
Evaluation of untrusted data handling (deserialization testing) reveals unsafe processing, which the required remediation process addresses.
Untrusted serialized data can be deserialized and observed inside the chamber, blocking gadget-chain exploitation outside the sandbox.
Validates or rejects untrusted serialized data before deserialization occurs.
Identifies and blocks malicious code introduced through deserialization of untrusted data at system boundaries.
Integrity verification of serialized information can detect tampering before deserialization occurs.
Provenance of associated data allows detection of untrusted sources before deserialization or processing occurs.