Insertion of Sensitive Information into Log

Impact

If successful login attempts are recorded, the raw tokens are stored in the log table. If a malicious person somehow views the data in the log table, he or she can obtain a raw token, which can then be used to send a request with that user's authority.

When you (1) use the following authentiactors,

AccessTokens (tokens)
JWT (jwt)
HmacSha256 (hmac)

and you (2) log successful login attempts, the raw tokens are stored.

Patches

Upgrade to Shield v1.0.0-beta.8 or later.

Workarounds

Disable logging for successful login attempts by the configuration files.

AccessTokens or HmacSha256
- Set Config\AuthToken::$recordLoginAttempt to Auth::RECORD_LOGIN_ATTEMPT_FAILURE or Auth::RECORD_LOGIN_ATTEMPT_NONE
JWT
- Set Config\AuthJWT::$recordLoginAttempt to Auth::RECORD_LOGIN_ATTEMPT_FAILURE or Auth::RECORD_LOGIN_ATTEMPT_NONE

References

https://codeigniter4.github.io/shield/getting_started/authenticators/

For more information

If you have any questions or comments about this advisory:

Open an issue or discussion in codeigniter4/shield
Email us at security@codeigniter.com

Published: Nov 23, 2023
Updated: Nov 23, 2023
GHSA: GHSA-j72f-h752-mx4w
Severity: Medium
Exploit:

CVSS v3:

Severity: Unknown
Score:
AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:L/A:N

CWEs:

CWE-532

Affected Software
References

Software	From	Fixed in
codeigniter4 / shield	-	1.0.0-beta.8