{"id":"CVE-2022-35943","summary":"SameSite may allow cross-site request forgery (CSRF) protection to be bypassed","details":"Shield is an authentication and authorization framework for CodeIgniter 4. This vulnerability may allow [SameSite Attackers](https://canitakeyoursubdomain.name/) to bypass the [CodeIgniter4 CSRF protection](https://codeigniter4.github.io/userguide/libraries/security.html) mechanism with CodeIgniter Shield. For this attack to succeed, the attacker must have direct (or indirect, e.g., XSS) control over a subdomain site (e.g., `https://a.example.com/`) of the target site (e.g., `http://example.com/`). Upgrade to **CodeIgniter v4.2.3 or later** and **Shield v1.0.0-beta.2 or later**. As a workaround: set `Config\\Security::$csrfProtection` to `'session,'`remove old session data right after login (immediately after ID and password match) and regenerate CSRF token right after login (immediately after ID and password match)","aliases":["BIT-codeigniter-2022-35943","GHSA-5hm8-vh6r-2cjq"],"modified":"2026-04-02T08:05:06.199158Z","published":"2022-08-12T20:55:10Z","database_specific":{"cwe_ids":["CWE-352"],"cna_assigner":"GitHub_M","osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2022/35xxx/CVE-2022-35943.json"},"references":[{"type":"WEB","url":"https://codeigniter4.github.io/userguide/libraries/security.htm"},{"type":"WEB","url":"https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie/SameSite"},{"type":"WEB","url":"https://jub0bs.com/posts/2021-01-29-great-samesite-confusion"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2022/35xxx/CVE-2022-35943.json"},{"type":"ADVISORY","url":"https://github.com/codeigniter4/shield/security/advisories/GHSA-5hm8-vh6r-2cjq"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2022-35943"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/codeigniter4/codeigniter4","events":[{"introduced":"0"},{"fixed":"9c0c6951579f87eeaa3db07e7391aa7152f4c93e"}],"database_specific":{"versions":[{"introduced":"0"},{"fixed":"4.2.3"}]}},{"type":"GIT","repo":"https://github.com/codeigniter4/shield","events":[{"introduced":"0"},{"last_affected":"c66012f887d9e9ab14183472b162114f48ad4561"}],"database_specific":{"versions":[{"introduced":"0"},{"last_affected":"1.0.0-beta"}]}}],"versions":["4.0.0","4.0.2","v1.0.0-beta","v4.0.0-alpha.1","v4.0.0-alpha.2","v4.0.0-alpha.3","v4.0.0-alpha.4","v4.0.0-alpha.5","v4.0.0-beta.1","v4.0.0-beta.3","v4.0.0-beta.4","v4.0.0-rc.1","v4.0.0-rc.2","v4.0.0-rc.2.1","v4.0.0-rc.2b","v4.0.0-rc.3","v4.0.0-rc.4","v4.0.0.0-alpha.5","v4.0.1","v4.0.3","v4.0.4","v4.0.5","v4.1.0","v4.1.1","v4.1.2","v4.1.3","v4.1.4","v4.1.5","v4.1.6","v4.1.7","v4.1.8","v4.1.9","v4.2.0","v4.2.1","v4.2.2"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2022-35943.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:L"}]}