CVE-2023-27580

Name: CVE-2023-27580
Creator: NVD / NIST
Published: 2023-03-13T18:15:12.97+00:00
License: https://creativecommons.org/publicdomain/zero/1.0/

MEDIUMCVSS 5.9/10EPSS 0.52%

Last modified Jun 17, 2026

CVE-2023-27580 is a medium-severity vulnerability rated 5.9/10 on the CVSS scale. CodeIgniter Shield provides authentication and authorization for the CodeIgniter 4 PHP framework. An improper implementation was found in the password storage process. EPSS estimates a 0.52% chance of exploitation in the next 30 days.

Description

CodeIgniter Shield provides authentication and authorization for the CodeIgniter 4 PHP framework. An improper implementation was found in the password storage process. All hashed passwords stored in Shield v1.0.0-beta.3 or earlier are easier to crack than expected due to the vulnerability. Therefore, they should be removed as soon as possible. If an attacker gets (1) the user's hashed password by Shield, and (2) the hashed password (SHA-384 hash without salt) from somewhere, the attacker may easily crack the user's password. Upgrade to Shield v1.0.0-beta.4 or later to fix this issue. After upgrading, all users’ hashed passwords should be updated (saved to the database). There are no known workarounds.

Metrics

CVSS 3.1

5.9/10

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N

EPSS Probability

0.52%

39.9th percentile

Probability of exploitation in the next 30 days. Learn more

Weakness Enumeration

CWE-916

Affected Software

Vendor	Product	Versions	Update
Codeigniter	Shield	1.0.0	Beta

References

https://blog.ircmaxell.com/2015/03/security-issue-combining-bcrypt-with.htmlThird Party Advisory
https://cheatsheetseries.owasp.org/cheatsheets/Password_Storage_Cheat_Sheet.html#pre-hashing-passwordsNot Applicable
https://github.com/codeigniter4/shield/blob/develop/UPGRADING.mdVendor Advisory
https://github.com/codeigniter4/shield/commit/ea9688dd01d100193d834117dbfc2cfabcf9ea0bPatch
https://github.com/codeigniter4/shield/security/advisories/GHSA-c5vj-f36q-p9vgVendor Advisory
https://www.scottbrady91.com/authentication/beware-of-password-shuckingThird Party Advisory
https://blog.ircmaxell.com/2015/03/security-issue-combining-bcrypt-with.htmlThird Party Advisory
https://cheatsheetseries.owasp.org/cheatsheets/Password_Storage_Cheat_Sheet.html#pre-hashing-passwordsNot Applicable
https://github.com/codeigniter4/shield/blob/develop/UPGRADING.mdVendor Advisory
https://github.com/codeigniter4/shield/commit/ea9688dd01d100193d834117dbfc2cfabcf9ea0bPatch
https://github.com/codeigniter4/shield/security/advisories/GHSA-c5vj-f36q-p9vgVendor Advisory
https://www.scottbrady91.com/authentication/beware-of-password-shuckingThird Party Advisory

Timeline

Published: Mar 13, 2023
Last Modified: Jun 17, 2026
Status: Modified

Frequently Asked Questions

What is CVE-2023-27580?

How severe is CVE-2023-27580?

CVE-2023-27580 has a CVSS score of 5.9/10 (MEDIUM severity). The EPSS model estimates a 0.52% probability of exploitation in the next 30 days.

How do I fix CVE-2023-27580?

Check the vendor references and advisories linked above for patched versions and mitigation guidance. You can also run a Strix scan to test if your systems are affected.

Are you affected by CVE-2023-27580?

Run a free Strix scan to check your systems for this vulnerability.

Scan your code now

Source: NVD / NIST