CVE-2022-21647 – CVE-2022-21647 is a deserialization vulnerabili... (How to Fix)

Q: What is the severity of CVE-2022-21647?

CVE-2022-21647 has a CVSS score of 7.7 (HIGH). CVE-2022-21647 is a deserialization vulnerability in CodeIgniter4's old() function that allows remote attackers to inject arbitrary objects and potentially execute PHP code on the server. This affects all CodeIgniter4 users who use the vulnerable function, with known exploits leading to SQL injection. The vulnerability stems from improper deserialization of untrusted data.

📋 TL;DR

CVE-2022-21647 is a deserialization vulnerability in CodeIgniter4's old() function that allows remote attackers to inject arbitrary objects and potentially execute PHP code on the server. This affects all CodeIgniter4 users who use the vulnerable function, with known exploits leading to SQL injection. The vulnerability stems from improper deserialization of untrusted data.

💻 Affected Systems

Products:

CodeIgniter4

Versions: All versions before 4.1.6

Operating Systems: All operating systems running PHP

Default Config Vulnerable: ⚠️ Yes

Notes: Vulnerability exists when using the old() function, form_helper, RedirectResponse::withInput(), or redirect()->withInput().

📦 What is this software?

Codeigniter by Codeigniter

View all CVEs affecting Codeigniter →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution leading to complete server compromise, data exfiltration, and potential lateral movement within the network.

🟠

Likely Case

SQL injection leading to database compromise, data manipulation, and potential privilege escalation.

🟢

If Mitigated

Limited impact with proper input validation and sanitization in place, though the core vulnerability remains exploitable.

🌐 Internet-Facing: HIGH - The vulnerability can be exploited remotely without authentication, affecting publicly accessible web applications.

🏢 Internal Only: MEDIUM - Internal applications are still vulnerable but have reduced attack surface compared to internet-facing systems.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: CONFIRMED

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Working exploits are publicly available and can lead to SQL injection. The vulnerability is easily exploitable with minimal technical knowledge.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 4.1.6

Vendor Advisory: https://github.com/codeigniter4/CodeIgniter4/security/advisories/GHSA-w6jr-wj64-mc9x

Restart Required: No

Instructions:

1. Backup your application and database. 2. Update CodeIgniter4 to version 4.1.6 or later using composer: 'composer require codeigniter4/framework:^4.1.6'. 3. Test your application functionality after update.

🔧 Temporary Workarounds

Disable vulnerable functions

all

Avoid using the old() function, form_helper, RedirectResponse::withInput(), and redirect()->withInput() in your application code.

🧯 If You Can't Patch

Implement strict input validation and sanitization for all user inputs
Deploy web application firewall (WAF) rules to detect and block deserialization attacks

🔍 How to Verify

Check if Vulnerable:

Check if your CodeIgniter4 version is below 4.1.6 and if your application uses old(), form_helper, RedirectResponse::withInput(), or redirect()->withInput() functions.

Check Version:

php spark --version

Verify Fix Applied:

Verify that CodeIgniter4 version is 4.1.6 or higher and test that the vulnerable functions no longer accept malicious input.

📡 Detection & Monitoring

Log Indicators:

Unusual POST requests to forms using old() function
SQL injection attempts in application logs
Deserialization errors in PHP logs

Network Indicators:

Unexpected database connections from web server
Suspicious payloads in HTTP POST requests

SIEM Query:

source="web_logs" AND (uri="*old*" OR method="POST") AND (payload="*__destruct*" OR payload="*__wakeup*")

📊 Metadata

CVE ID: CVE-2022-21647

CVSS v3 Score: 7.7 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:H/A:H

CWE: CWE-502

Published: January 4, 2022

Last Updated: November 21, 2024

🔗 References

https://github.com/codeigniter4/CodeIgniter4/commit/ce95ed5765256e2f09f3513e7d42790e0d6948f5 Patch,Third Party Advisory
https://github.com/codeigniter4/CodeIgniter4/security/advisories/GHSA-w6jr-wj64-mc9x Mitigation,Third Party Advisory
https://github.com/codeigniter4/CodeIgniter4/commit/ce95ed5765256e2f09f3513e7d42790e0d6948f5 Patch,Third Party Advisory
https://github.com/codeigniter4/CodeIgniter4/security/advisories/GHSA-w6jr-wj64-mc9x Mitigation,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2022-21647, you might also want to check these: