CVE-2014-8684

CodeIgniter before 3.0 and Kohana 3.2.3 and earlier and 3.3.x through 3.3.2 make it easier for remote attackers to spoof session cookies and consequently conduct PHP object injection attacks by leveraging use of standard string comparison operators to compare cryptographic hashes.

Published: Sep 19, 2017
Updated: Apr 13, 2023
CVE: CVE-2014-8684
Severity: Critical
Exploit:

CVSS v3:

Severity: Critical
Score: 9.8
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CVSS v2:

Severity: High
Score: 7.5
AV:N/AC:L/Au:N/C:P/I:P/A:P

CWEs:

CWE-310

Affected Software
References

Software	From	Fixed in
kohanaframework / kohana	3.3.0	3.3.0.x
kohanaframework / kohana	3.3.1	3.3.1.x
kohanaframework / kohana	3.2.3	3.2.3.x
codeigniter / codeigniter	-	2.2.6.x

http://packetstormsecurity.com/files/130609/Seagate-Business-NAS-Unauthenticated-Remote-Command-Execution.html
http://seclists.org/fulldisclosure/2014/May/54
https://github.com/kohana/core/pull/492
https://scott.arciszewski.me/research/full/php-framework-timing-attacks-object-injection

Vulnerability Database

CVE-2014-8684