{"id":"GHSA-j72f-h752-mx4w","summary":"Insertion of Sensitive Information into Log","details":"### Impact\nIf successful login attempts are recorded, the raw tokens are stored in the log table.\nIf a malicious person somehow views the data in the log table, he or she can obtain a raw token, which can then be used to send a request with that user's authority.\n\nWhen you (1) **use the following authentiactors**,\n- [AccessTokens](https://codeigniter4.github.io/shield/references/authentication/tokens/) (`tokens`)\n- [JWT](https://codeigniter4.github.io/shield/addons/jwt/) (`jwt`)\n- [HmacSha256](https://codeigniter4.github.io/shield/references/authentication/hmac/) (`hmac`)\n\nand you (2) **log successful login attempts**, the raw tokens are stored.\n\n### Patches\nUpgrade to Shield v1.0.0-beta.8 or later.\n\n### Workarounds\nDisable logging for successful login attempts by the configuration files.\n\n- AccessTokens or HmacSha256\n   - Set `Config\\AuthToken::$recordLoginAttempt` to `Auth::RECORD_LOGIN_ATTEMPT_FAILURE` or `Auth::RECORD_LOGIN_ATTEMPT_NONE`\n- JWT\n   - Set `Config\\AuthJWT::$recordLoginAttempt` to `Auth::RECORD_LOGIN_ATTEMPT_FAILURE` or `Auth::RECORD_LOGIN_ATTEMPT_NONE`\n\n### References\n- https://codeigniter4.github.io/shield/getting_started/authenticators/\n\n### For more information\nIf you have any questions or comments about this advisory:\n* Open an issue or discussion in [codeigniter4/shield](https://github.com/codeigniter4/shield)\n* Email us at [security@codeigniter.com](mailto:security@codeigniter.com)\n","aliases":["CVE-2023-48708"],"modified":"2024-02-16T08:21:04.973586Z","published":"2023-11-23T00:28:13Z","database_specific":{"github_reviewed":true,"github_reviewed_at":"2023-11-23T00:28:13Z","nvd_published_at":"2023-11-24T18:15:07Z","cwe_ids":["CWE-532"],"severity":"MODERATE"},"references":[{"type":"WEB","url":"https://github.com/codeigniter4/shield/security/advisories/GHSA-j72f-h752-mx4w"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2023-48708"},{"type":"WEB","url":"https://github.com/codeigniter4/shield/commit/7e84c3fb3411294f70890819bfe51781bb9dc8e4"},{"type":"WEB","url":"https://codeigniter4.github.io/shield/getting_started/authenticators"},{"type":"PACKAGE","url":"https://github.com/codeigniter4/shield"}],"affected":[{"package":{"name":"codeigniter4/shield","ecosystem":"Packagist","purl":"pkg:composer/codeigniter4/shield"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"1.0.0-beta.8"}]}],"versions":["v1.0.0-beta","v1.0.0-beta.2","v1.0.0-beta.3","v1.0.0-beta.4","v1.0.0-beta.5","v1.0.0-beta.6","v1.0.0-beta.7"],"database_specific":{"source":"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/11/GHSA-j72f-h752-mx4w/GHSA-j72f-h752-mx4w.json"}}],"schema_version":"1.7.3","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:L/A:N"}]}