Loading HuntDB...
Hunt
Vulnerability Intelligence by wss.sh
Home Daily Briefings High Impact CVEs Recent Exploits KEV Catalog GitHub Advisories Latest Updates Security News
Sign In Sign Up

GHSA-v427-c49j-8w6x

GitHub Security Advisory

Cleartext Storage of Sensitive Information in HMAC SHA256 Authentication

✓ GitHub Reviewed MODERATE Has CVE
View on GitHub

Advisory Details

### Impact
**secretKey**, an important key for HMAC SHA256 authentication, was stored in the database in raw form.

If a malicious person somehow had access to the data in the database, they could use the key and secretKey for HMAC SHA256 authentication to send requests impersonating that person.

### Patches
Upgrade to Shield v1.0.0-beta.8 or later.

After upgrading, all existing secret keys must be encrypted.
See https://github.com/codeigniter4/shield/blob/develop/UPGRADING.md for details.

### Workarounds
None.

### References
- https://codeigniter4.github.io/shield/references/authentication/hmac/

### For more information
If you have any questions or comments about this advisory:
* Open an issue or discussion in [codeigniter4/shield](https://github.com/codeigniter4/shield)
* Email us at [[email protected]](mailto:[email protected])

Affected Packages

Packagist codeigniter4/shield
Affected versions: 0 (fixed in 1.0.0-beta.8)

Related CVEs

CVE-2023-48707

Key Information

GHSA ID
GHSA-v427-c49j-8w6x
Published
November 23, 2023 12:28 AM
Last Modified
November 27, 2023 9:44 PM
CVSS Score
5.0 /10
Primary Ecosystem
Packagist
Primary Package
codeigniter4/shield
GitHub Reviewed
✓ Yes

Dataset

Last updated: July 12, 2025 6:29 AM

Data from GitHub Advisory Database. This information is provided for research and educational purposes.