CVE-2014-8684

high-risk
Published 2017-09-19

CodeIgniter before 3.0 and Kohana 3.2.3 and earlier and 3.3.x through 3.3.2 make it easier for remote attackers to spoof session cookies and consequently conduct PHP object injection attacks by leveraging use of standard string comparison operators to compare cryptographic hashes.

Do I need to act?

!
44.8% chance of exploitation in next 30 days
EPSS score — higher than 55% of all CVEs
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
!
1 public exploit available
36264
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
9
CVSS 9.8/10 Critical
NETWORK / LOW complexity

Affected Products (4)

Affected Vendors

Kohanaframework Codeigniter

References (8)

Third Party Advisory http://packetstormsecurity.com/files/130609/Seagate-Business-NAS-Unauthenticated...
Mailing List http://seclists.org/fulldisclosure/2014/May/54
Third Party Advisory https://github.com/kohana/core/pull/492
Third Party Advisory https://scott.arciszewski.me/research/full/php-framework-timing-attacks-object-i...
Third Party Advisory http://packetstormsecurity.com/files/130609/Seagate-Business-NAS-Unauthenticated...
Mailing List http://seclists.org/fulldisclosure/2014/May/54
Third Party Advisory https://github.com/kohana/core/pull/492
Third Party Advisory https://scott.arciszewski.me/research/full/php-framework-timing-attacks-object-i...
66
/ 100
high-risk
Severity 32/34 · Critical
Exploitability 24/34 · High
Exposure 10/34 · Low