Vulnerabilites related to guzzlephp - guzzle
cve-2022-31043
Vulnerability from cvelistv5
Published
2022-06-09 00:00
Modified
2024-08-03 07:03
Severity ?
EPSS score ?
Summary
Guzzle is an open source PHP HTTP client. In affected versions `Authorization` headers on requests are sensitive information. On making a request using the `https` scheme to a server which responds with a redirect to a URI with the `http` scheme, we should not forward the `Authorization` header on. This is much the same as to how we don't forward on the header if the host changes. Prior to this fix, `https` to `http` downgrades did not result in the `Authorization` header being removed, only changes to the host. Affected Guzzle 7 users should upgrade to Guzzle 7.4.4 as soon as possible. Affected users using any earlier series of Guzzle should upgrade to Guzzle 6.5.7 or 7.4.4. Users unable to upgrade may consider an alternative approach which would be to use their own redirect middleware. Alternately users may simply disable redirects all together if redirects are not expected or required.
References
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-03T07:03:40.241Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "x_transferred", ], url: "https://github.com/guzzle/guzzle/commit/e3ff079b22820c2029d4c2a87796b6a0b8716ad8", }, { tags: [ "x_transferred", ], url: "https://www.rfc-editor.org/rfc/rfc9110.html#name-redirection-3xx", }, { tags: [ "x_transferred", ], url: "https://github.com/guzzle/guzzle/security/advisories/GHSA-w248-ffj2-4v5q", }, { tags: [ "x_transferred", ], url: "https://www.drupal.org/sa-core-2022-011", }, { name: "DSA-5246", tags: [ "vendor-advisory", "x_transferred", ], url: "https://www.debian.org/security/2022/dsa-5246", }, ], title: "CVE Program Container", }, ], cna: { affected: [ { product: "guzzle", vendor: "guzzle", versions: [ { status: "affected", version: "< 6.5.7", }, { status: "affected", version: ">=7.0.0, < 7.4.4", }, ], }, ], descriptions: [ { lang: "en", value: "Guzzle is an open source PHP HTTP client. In affected versions `Authorization` headers on requests are sensitive information. On making a request using the `https` scheme to a server which responds with a redirect to a URI with the `http` scheme, we should not forward the `Authorization` header on. This is much the same as to how we don't forward on the header if the host changes. Prior to this fix, `https` to `http` downgrades did not result in the `Authorization` header being removed, only changes to the host. Affected Guzzle 7 users should upgrade to Guzzle 7.4.4 as soon as possible. Affected users using any earlier series of Guzzle should upgrade to Guzzle 6.5.7 or 7.4.4. Users unable to upgrade may consider an alternative approach which would be to use their own redirect middleware. Alternately users may simply disable redirects all together if redirects are not expected or required.", }, ], metrics: [ { cvssV3_1: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 7.5, baseSeverity: "HIGH", confidentialityImpact: "HIGH", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", version: "3.1", }, }, ], problemTypes: [ { descriptions: [ { cweId: "CWE-200", description: "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor", lang: "en", type: "CWE", }, ], }, ], providerMetadata: { dateUpdated: "2022-10-06T00:00:00", orgId: "a0819718-46f1-4df5-94e2-005712e83aaa", shortName: "GitHub_M", }, references: [ { url: "https://github.com/guzzle/guzzle/commit/e3ff079b22820c2029d4c2a87796b6a0b8716ad8", }, { url: "https://www.rfc-editor.org/rfc/rfc9110.html#name-redirection-3xx", }, { url: "https://github.com/guzzle/guzzle/security/advisories/GHSA-w248-ffj2-4v5q", }, { url: "https://www.drupal.org/sa-core-2022-011", }, { name: "DSA-5246", tags: [ "vendor-advisory", ], url: "https://www.debian.org/security/2022/dsa-5246", }, ], source: { advisory: "GHSA-w248-ffj2-4v5q", discovery: "UNKNOWN", }, title: "Fix failure to strip Authorization header on HTTP downgrade in Guzzle", }, }, cveMetadata: { assignerOrgId: "a0819718-46f1-4df5-94e2-005712e83aaa", assignerShortName: "GitHub_M", cveId: "CVE-2022-31043", datePublished: "2022-06-09T00:00:00", dateReserved: "2022-05-18T00:00:00", dateUpdated: "2024-08-03T07:03:40.241Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2022-29248
Vulnerability from cvelistv5
Published
2022-05-25 00:00
Modified
2024-08-03 06:17
Severity ?
EPSS score ?
Summary
Guzzle is a PHP HTTP client. Guzzle prior to versions 6.5.6 and 7.4.3 contains a vulnerability with the cookie middleware. The vulnerability is that it is not checked if the cookie domain equals the domain of the server which sets the cookie via the Set-Cookie header, allowing a malicious server to set cookies for unrelated domains. The cookie middleware is disabled by default, so most library consumers will not be affected by this issue. Only those who manually add the cookie middleware to the handler stack or construct the client with ['cookies' => true] are affected. Moreover, those who do not use the same Guzzle client to call multiple domains and have disabled redirect forwarding are not affected by this vulnerability. Guzzle versions 6.5.6 and 7.4.3 contain a patch for this issue. As a workaround, turn off the cookie middleware.
References
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-03T06:17:54.465Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "x_transferred", ], url: "https://github.com/guzzle/guzzle/security/advisories/GHSA-cwmx-hcrq-mhc3", }, { tags: [ "x_transferred", ], url: "https://github.com/guzzle/guzzle/pull/3018", }, { tags: [ "x_transferred", ], url: "https://github.com/guzzle/guzzle/commit/74a8602c6faec9ef74b7a9391ac82c5e65b1cdab", }, { tags: [ "x_transferred", ], url: "https://www.drupal.org/sa-core-2022-010", }, { name: "DSA-5246", tags: [ "vendor-advisory", "x_transferred", ], url: "https://www.debian.org/security/2022/dsa-5246", }, ], title: "CVE Program Container", }, ], cna: { affected: [ { product: "guzzle", vendor: "guzzle", versions: [ { status: "affected", version: "< 6.5.6", }, { status: "affected", version: ">= 7.0.0, < 7.4.3", }, ], }, ], descriptions: [ { lang: "en", value: "Guzzle is a PHP HTTP client. Guzzle prior to versions 6.5.6 and 7.4.3 contains a vulnerability with the cookie middleware. The vulnerability is that it is not checked if the cookie domain equals the domain of the server which sets the cookie via the Set-Cookie header, allowing a malicious server to set cookies for unrelated domains. The cookie middleware is disabled by default, so most library consumers will not be affected by this issue. Only those who manually add the cookie middleware to the handler stack or construct the client with ['cookies' => true] are affected. Moreover, those who do not use the same Guzzle client to call multiple domains and have disabled redirect forwarding are not affected by this vulnerability. Guzzle versions 6.5.6 and 7.4.3 contain a patch for this issue. As a workaround, turn off the cookie middleware.", }, ], metrics: [ { cvssV3_1: { attackComplexity: "HIGH", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 8, baseSeverity: "HIGH", confidentialityImpact: "HIGH", integrityImpact: "HIGH", privilegesRequired: "NONE", scope: "CHANGED", userInteraction: "REQUIRED", vectorString: "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:N", version: "3.1", }, }, ], problemTypes: [ { descriptions: [ { cweId: "CWE-200", description: "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor", lang: "en", type: "CWE", }, ], }, ], providerMetadata: { dateUpdated: "2022-10-06T00:00:00", orgId: "a0819718-46f1-4df5-94e2-005712e83aaa", shortName: "GitHub_M", }, references: [ { url: "https://github.com/guzzle/guzzle/security/advisories/GHSA-cwmx-hcrq-mhc3", }, { url: "https://github.com/guzzle/guzzle/pull/3018", }, { url: "https://github.com/guzzle/guzzle/commit/74a8602c6faec9ef74b7a9391ac82c5e65b1cdab", }, { url: "https://www.drupal.org/sa-core-2022-010", }, { name: "DSA-5246", tags: [ "vendor-advisory", ], url: "https://www.debian.org/security/2022/dsa-5246", }, ], source: { advisory: "GHSA-cwmx-hcrq-mhc3", discovery: "UNKNOWN", }, title: "Cross-domain cookie leakage in Guzzle", }, }, cveMetadata: { assignerOrgId: "a0819718-46f1-4df5-94e2-005712e83aaa", assignerShortName: "GitHub_M", cveId: "CVE-2022-29248", datePublished: "2022-05-25T00:00:00", dateReserved: "2022-04-13T00:00:00", dateUpdated: "2024-08-03T06:17:54.465Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2022-31042
Vulnerability from cvelistv5
Published
2022-06-09 00:00
Modified
2024-08-03 07:03
Severity ?
EPSS score ?
Summary
Guzzle is an open source PHP HTTP client. In affected versions the `Cookie` headers on requests are sensitive information. On making a request using the `https` scheme to a server which responds with a redirect to a URI with the `http` scheme, or on making a request to a server which responds with a redirect to a a URI to a different host, we should not forward the `Cookie` header on. Prior to this fix, only cookies that were managed by our cookie middleware would be safely removed, and any `Cookie` header manually added to the initial request would not be stripped. We now always strip it, and allow the cookie middleware to re-add any cookies that it deems should be there. Affected Guzzle 7 users should upgrade to Guzzle 7.4.4 as soon as possible. Affected users using any earlier series of Guzzle should upgrade to Guzzle 6.5.7 or 7.4.4. Users unable to upgrade may consider an alternative approach to use your own redirect middleware, rather than ours. If you do not require or expect redirects to be followed, one should simply disable redirects all together.
References
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-03T07:03:40.287Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "x_transferred", ], url: "https://github.com/guzzle/guzzle/security/advisories/GHSA-f2wf-25xc-69c9", }, { tags: [ "x_transferred", ], url: "https://github.com/guzzle/guzzle/commit/e3ff079b22820c2029d4c2a87796b6a0b8716ad8", }, { tags: [ "x_transferred", ], url: "https://www.rfc-editor.org/rfc/rfc9110.html#name-redirection-3xx", }, { tags: [ "x_transferred", ], url: "https://www.drupal.org/sa-core-2022-011", }, { name: "DSA-5246", tags: [ "vendor-advisory", "x_transferred", ], url: "https://www.debian.org/security/2022/dsa-5246", }, ], title: "CVE Program Container", }, ], cna: { affected: [ { product: "guzzle", vendor: "guzzle", versions: [ { status: "affected", version: "< 6.5.7", }, { status: "affected", version: ">=7.0.0, < 7.4.4", }, ], }, ], descriptions: [ { lang: "en", value: "Guzzle is an open source PHP HTTP client. In affected versions the `Cookie` headers on requests are sensitive information. On making a request using the `https` scheme to a server which responds with a redirect to a URI with the `http` scheme, or on making a request to a server which responds with a redirect to a a URI to a different host, we should not forward the `Cookie` header on. Prior to this fix, only cookies that were managed by our cookie middleware would be safely removed, and any `Cookie` header manually added to the initial request would not be stripped. We now always strip it, and allow the cookie middleware to re-add any cookies that it deems should be there. Affected Guzzle 7 users should upgrade to Guzzle 7.4.4 as soon as possible. Affected users using any earlier series of Guzzle should upgrade to Guzzle 6.5.7 or 7.4.4. Users unable to upgrade may consider an alternative approach to use your own redirect middleware, rather than ours. If you do not require or expect redirects to be followed, one should simply disable redirects all together.", }, ], metrics: [ { cvssV3_1: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 7.5, baseSeverity: "HIGH", confidentialityImpact: "HIGH", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", version: "3.1", }, }, ], problemTypes: [ { descriptions: [ { cweId: "CWE-200", description: "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor", lang: "en", type: "CWE", }, ], }, ], providerMetadata: { dateUpdated: "2022-10-06T00:00:00", orgId: "a0819718-46f1-4df5-94e2-005712e83aaa", shortName: "GitHub_M", }, references: [ { url: "https://github.com/guzzle/guzzle/security/advisories/GHSA-f2wf-25xc-69c9", }, { url: "https://github.com/guzzle/guzzle/commit/e3ff079b22820c2029d4c2a87796b6a0b8716ad8", }, { url: "https://www.rfc-editor.org/rfc/rfc9110.html#name-redirection-3xx", }, { url: "https://www.drupal.org/sa-core-2022-011", }, { name: "DSA-5246", tags: [ "vendor-advisory", ], url: "https://www.debian.org/security/2022/dsa-5246", }, ], source: { advisory: "GHSA-f2wf-25xc-69c9", discovery: "UNKNOWN", }, title: "Failure to strip the Cookie header on change in host or HTTP downgrade in Guzzle", }, }, cveMetadata: { assignerOrgId: "a0819718-46f1-4df5-94e2-005712e83aaa", assignerShortName: "GitHub_M", cveId: "CVE-2022-31042", datePublished: "2022-06-09T00:00:00", dateReserved: "2022-05-18T00:00:00", dateUpdated: "2024-08-03T07:03:40.287Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2022-31091
Vulnerability from cvelistv5
Published
2022-06-27 00:00
Modified
2024-08-03 07:11
Severity ?
EPSS score ?
Summary
Guzzle, an extensible PHP HTTP client. `Authorization` and `Cookie` headers on requests are sensitive information. In affected versions on making a request which responds with a redirect to a URI with a different port, if we choose to follow it, we should remove the `Authorization` and `Cookie` headers from the request, before containing. Previously, we would only consider a change in host or scheme. Affected Guzzle 7 users should upgrade to Guzzle 7.4.5 as soon as possible. Affected users using any earlier series of Guzzle should upgrade to Guzzle 6.5.8 or 7.4.5. Note that a partial fix was implemented in Guzzle 7.4.2, where a change in host would trigger removal of the curl-added Authorization header, however this earlier fix did not cover change in scheme or change in port. An alternative approach would be to use your own redirect middleware, rather than ours, if you are unable to upgrade. If you do not require or expect redirects to be followed, one should simply disable redirects all together.
References
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-03T07:11:39.362Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "x_transferred", ], url: "https://github.com/guzzle/guzzle/commit/1dd98b0564cb3f6bd16ce683cb755f94c10fbd82", }, { tags: [ "x_transferred", ], url: "https://github.com/guzzle/guzzle/security/advisories/GHSA-q559-8m2m-g699", }, { name: "DSA-5246", tags: [ "vendor-advisory", "x_transferred", ], url: "https://www.debian.org/security/2022/dsa-5246", }, { name: "GLSA-202305-24", tags: [ "vendor-advisory", "x_transferred", ], url: "https://security.gentoo.org/glsa/202305-24", }, ], title: "CVE Program Container", }, ], cna: { affected: [ { product: "guzzle", vendor: "guzzle", versions: [ { status: "affected", version: "< 6.5.8", }, { status: "affected", version: ">=7.0.0, < 7.4.5", }, ], }, ], descriptions: [ { lang: "en", value: "Guzzle, an extensible PHP HTTP client. `Authorization` and `Cookie` headers on requests are sensitive information. In affected versions on making a request which responds with a redirect to a URI with a different port, if we choose to follow it, we should remove the `Authorization` and `Cookie` headers from the request, before containing. Previously, we would only consider a change in host or scheme. Affected Guzzle 7 users should upgrade to Guzzle 7.4.5 as soon as possible. Affected users using any earlier series of Guzzle should upgrade to Guzzle 6.5.8 or 7.4.5. Note that a partial fix was implemented in Guzzle 7.4.2, where a change in host would trigger removal of the curl-added Authorization header, however this earlier fix did not cover change in scheme or change in port. An alternative approach would be to use your own redirect middleware, rather than ours, if you are unable to upgrade. If you do not require or expect redirects to be followed, one should simply disable redirects all together.", }, ], metrics: [ { cvssV3_1: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 7.7, baseSeverity: "HIGH", confidentialityImpact: "HIGH", integrityImpact: "NONE", privilegesRequired: "LOW", scope: "CHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N", version: "3.1", }, }, ], problemTypes: [ { descriptions: [ { cweId: "CWE-200", description: "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor", lang: "en", type: "CWE", }, ], }, ], providerMetadata: { dateUpdated: "2023-05-21T00:00:00", orgId: "a0819718-46f1-4df5-94e2-005712e83aaa", shortName: "GitHub_M", }, references: [ { url: "https://github.com/guzzle/guzzle/commit/1dd98b0564cb3f6bd16ce683cb755f94c10fbd82", }, { url: "https://github.com/guzzle/guzzle/security/advisories/GHSA-q559-8m2m-g699", }, { name: "DSA-5246", tags: [ "vendor-advisory", ], url: "https://www.debian.org/security/2022/dsa-5246", }, { name: "GLSA-202305-24", tags: [ "vendor-advisory", ], url: "https://security.gentoo.org/glsa/202305-24", }, ], source: { advisory: "GHSA-q559-8m2m-g699", discovery: "UNKNOWN", }, title: "Change in port should be considered a change in origin in Guzzle", }, }, cveMetadata: { assignerOrgId: "a0819718-46f1-4df5-94e2-005712e83aaa", assignerShortName: "GitHub_M", cveId: "CVE-2022-31091", datePublished: "2022-06-27T00:00:00", dateReserved: "2022-05-18T00:00:00", dateUpdated: "2024-08-03T07:11:39.362Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2022-31090
Vulnerability from cvelistv5
Published
2022-06-27 00:00
Modified
2024-08-03 07:11
Severity ?
EPSS score ?
Summary
Guzzle, an extensible PHP HTTP client. `Authorization` headers on requests are sensitive information. In affected versions when using our Curl handler, it is possible to use the `CURLOPT_HTTPAUTH` option to specify an `Authorization` header. On making a request which responds with a redirect to a URI with a different origin (change in host, scheme or port), if we choose to follow it, we should remove the `CURLOPT_HTTPAUTH` option before continuing, stopping curl from appending the `Authorization` header to the new request. Affected Guzzle 7 users should upgrade to Guzzle 7.4.5 as soon as possible. Affected users using any earlier series of Guzzle should upgrade to Guzzle 6.5.8 or 7.4.5. Note that a partial fix was implemented in Guzzle 7.4.2, where a change in host would trigger removal of the curl-added Authorization header, however this earlier fix did not cover change in scheme or change in port. If you do not require or expect redirects to be followed, one should simply disable redirects all together. Alternatively, one can specify to use the Guzzle steam handler backend, rather than curl.
References
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-03T07:11:39.360Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "x_transferred", ], url: "https://github.com/guzzle/guzzle/security/advisories/GHSA-25mq-v84q-4j7r", }, { tags: [ "x_transferred", ], url: "https://github.com/guzzle/guzzle/commit/1dd98b0564cb3f6bd16ce683cb755f94c10fbd82", }, { name: "DSA-5246", tags: [ "vendor-advisory", "x_transferred", ], url: "https://www.debian.org/security/2022/dsa-5246", }, { name: "GLSA-202305-24", tags: [ "vendor-advisory", "x_transferred", ], url: "https://security.gentoo.org/glsa/202305-24", }, ], title: "CVE Program Container", }, ], cna: { affected: [ { product: "guzzle", vendor: "guzzle", versions: [ { status: "affected", version: "< 6.5.8", }, { status: "affected", version: ">=7.0.0, < 7.4.5", }, ], }, ], descriptions: [ { lang: "en", value: "Guzzle, an extensible PHP HTTP client. `Authorization` headers on requests are sensitive information. In affected versions when using our Curl handler, it is possible to use the `CURLOPT_HTTPAUTH` option to specify an `Authorization` header. On making a request which responds with a redirect to a URI with a different origin (change in host, scheme or port), if we choose to follow it, we should remove the `CURLOPT_HTTPAUTH` option before continuing, stopping curl from appending the `Authorization` header to the new request. Affected Guzzle 7 users should upgrade to Guzzle 7.4.5 as soon as possible. Affected users using any earlier series of Guzzle should upgrade to Guzzle 6.5.8 or 7.4.5. Note that a partial fix was implemented in Guzzle 7.4.2, where a change in host would trigger removal of the curl-added Authorization header, however this earlier fix did not cover change in scheme or change in port. If you do not require or expect redirects to be followed, one should simply disable redirects all together. Alternatively, one can specify to use the Guzzle steam handler backend, rather than curl.", }, ], metrics: [ { cvssV3_1: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 7.7, baseSeverity: "HIGH", confidentialityImpact: "HIGH", integrityImpact: "NONE", privilegesRequired: "LOW", scope: "CHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N", version: "3.1", }, }, ], problemTypes: [ { descriptions: [ { cweId: "CWE-200", description: "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor", lang: "en", type: "CWE", }, ], }, ], providerMetadata: { dateUpdated: "2023-05-21T00:00:00", orgId: "a0819718-46f1-4df5-94e2-005712e83aaa", shortName: "GitHub_M", }, references: [ { url: "https://github.com/guzzle/guzzle/security/advisories/GHSA-25mq-v84q-4j7r", }, { url: "https://github.com/guzzle/guzzle/commit/1dd98b0564cb3f6bd16ce683cb755f94c10fbd82", }, { name: "DSA-5246", tags: [ "vendor-advisory", ], url: "https://www.debian.org/security/2022/dsa-5246", }, { name: "GLSA-202305-24", tags: [ "vendor-advisory", ], url: "https://security.gentoo.org/glsa/202305-24", }, ], source: { advisory: "GHSA-25mq-v84q-4j7r", discovery: "UNKNOWN", }, title: "CURLOPT_HTTPAUTH option not cleared on change of origin in Guzzle", }, }, cveMetadata: { assignerOrgId: "a0819718-46f1-4df5-94e2-005712e83aaa", assignerShortName: "GitHub_M", cveId: "CVE-2022-31090", datePublished: "2022-06-27T00:00:00", dateReserved: "2022-05-18T00:00:00", dateUpdated: "2024-08-03T07:11:39.360Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
Vulnerability from fkie_nvd
Published
2022-06-27 22:15
Modified
2024-11-21 07:03
Severity ?
7.7 (High) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N
7.7 (High) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N
7.7 (High) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N
Summary
Guzzle, an extensible PHP HTTP client. `Authorization` and `Cookie` headers on requests are sensitive information. In affected versions on making a request which responds with a redirect to a URI with a different port, if we choose to follow it, we should remove the `Authorization` and `Cookie` headers from the request, before containing. Previously, we would only consider a change in host or scheme. Affected Guzzle 7 users should upgrade to Guzzle 7.4.5 as soon as possible. Affected users using any earlier series of Guzzle should upgrade to Guzzle 6.5.8 or 7.4.5. Note that a partial fix was implemented in Guzzle 7.4.2, where a change in host would trigger removal of the curl-added Authorization header, however this earlier fix did not cover change in scheme or change in port. An alternative approach would be to use your own redirect middleware, rather than ours, if you are unable to upgrade. If you do not require or expect redirects to be followed, one should simply disable redirects all together.
References
Impacted products
{ configurations: [ { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:guzzlephp:guzzle:*:*:*:*:*:*:*:*", matchCriteriaId: "3F75AB58-B779-4360-8208-74C0CAE05DF3", versionEndExcluding: "6.5.8", vulnerable: true, }, { criteria: "cpe:2.3:a:guzzlephp:guzzle:*:*:*:*:*:*:*:*", matchCriteriaId: "7633A189-101C-40CA-9EE3-090CE6995E18", versionEndExcluding: "7.4.5", versionStartIncluding: "7.0.0", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:o:debian:debian_linux:11.0:*:*:*:*:*:*:*", matchCriteriaId: "FA6FEEC2-9F11-4643-8827-749718254FED", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, ], cveTags: [], descriptions: [ { lang: "en", value: "Guzzle, an extensible PHP HTTP client. `Authorization` and `Cookie` headers on requests are sensitive information. In affected versions on making a request which responds with a redirect to a URI with a different port, if we choose to follow it, we should remove the `Authorization` and `Cookie` headers from the request, before containing. Previously, we would only consider a change in host or scheme. Affected Guzzle 7 users should upgrade to Guzzle 7.4.5 as soon as possible. Affected users using any earlier series of Guzzle should upgrade to Guzzle 6.5.8 or 7.4.5. Note that a partial fix was implemented in Guzzle 7.4.2, where a change in host would trigger removal of the curl-added Authorization header, however this earlier fix did not cover change in scheme or change in port. An alternative approach would be to use your own redirect middleware, rather than ours, if you are unable to upgrade. If you do not require or expect redirects to be followed, one should simply disable redirects all together.", }, { lang: "es", value: "Guzzle, un cliente PHP HTTP extensible. Los encabezados \"Authorization\" y \"Cookie\" en las peticiones son información confidencial. En las versiones afectadas al realizar una petición que responde con un redireccionamiento a una URI con un puerto diferente, si decidimos seguirla, debemos eliminar los encabezados \"Authorization\" y \"Cookie\" de la petición, antes de contenerla. Anteriormente, sólo considerábamos un cambio de host o de esquema. Los usuarios de Guzzle 7 afectados deben actualizar a Guzzle versión 7.4.5 lo antes posible. Los usuarios afectados usando cualquier serie anterior de Guzzle deberían actualizar a Guzzle versiones 6.5.8 o 7.4.5. Tenga en cuenta que en Guzzle versión 7.4.2 fué implementado una corrección parcial, en la que un cambio de host desencadenaba una eliminación del encabezado de autorización añadida por curl, sin embargo esta corrección anterior no cubría el cambio de esquema o el cambio de puerto. Un enfoque alternativo sería usar su propio middleware de redireccionamiento, en lugar del nuestro, si no puede actualizar. Si usted no requiere o espera que sean seguidas los redireccionamientos, uno debería simplemente deshabilitar los redireccionamientos por completo", }, ], id: "CVE-2022-31091", lastModified: "2024-11-21T07:03:52.600", metrics: { cvssMetricV2: [ { acInsufInfo: false, baseSeverity: "MEDIUM", cvssData: { accessComplexity: "LOW", accessVector: "NETWORK", authentication: "SINGLE", availabilityImpact: "NONE", baseScore: 4, confidentialityImpact: "PARTIAL", integrityImpact: "NONE", vectorString: "AV:N/AC:L/Au:S/C:P/I:N/A:N", version: "2.0", }, exploitabilityScore: 8, impactScore: 2.9, obtainAllPrivilege: false, obtainOtherPrivilege: false, obtainUserPrivilege: false, source: "nvd@nist.gov", type: "Primary", userInteractionRequired: false, }, ], cvssMetricV31: [ { cvssData: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 7.7, baseSeverity: "HIGH", confidentialityImpact: "HIGH", integrityImpact: "NONE", privilegesRequired: "LOW", scope: "CHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N", version: "3.1", }, exploitabilityScore: 3.1, impactScore: 4, source: "security-advisories@github.com", type: "Secondary", }, { cvssData: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 7.7, baseSeverity: "HIGH", confidentialityImpact: "HIGH", integrityImpact: "NONE", privilegesRequired: "LOW", scope: "CHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N", version: "3.1", }, exploitabilityScore: 3.1, impactScore: 4, source: "nvd@nist.gov", type: "Primary", }, ], }, published: "2022-06-27T22:15:08.933", references: [ { source: "security-advisories@github.com", tags: [ "Patch", "Third Party Advisory", ], url: "https://github.com/guzzle/guzzle/commit/1dd98b0564cb3f6bd16ce683cb755f94c10fbd82", }, { source: "security-advisories@github.com", tags: [ "Mitigation", "Third Party Advisory", ], url: "https://github.com/guzzle/guzzle/security/advisories/GHSA-q559-8m2m-g699", }, { source: "security-advisories@github.com", url: "https://security.gentoo.org/glsa/202305-24", }, { source: "security-advisories@github.com", tags: [ "Third Party Advisory", ], url: "https://www.debian.org/security/2022/dsa-5246", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Patch", "Third Party Advisory", ], url: "https://github.com/guzzle/guzzle/commit/1dd98b0564cb3f6bd16ce683cb755f94c10fbd82", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Mitigation", "Third Party Advisory", ], url: "https://github.com/guzzle/guzzle/security/advisories/GHSA-q559-8m2m-g699", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://security.gentoo.org/glsa/202305-24", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Third Party Advisory", ], url: "https://www.debian.org/security/2022/dsa-5246", }, ], sourceIdentifier: "security-advisories@github.com", vulnStatus: "Modified", weaknesses: [ { description: [ { lang: "en", value: "CWE-200", }, ], source: "security-advisories@github.com", type: "Secondary", }, { description: [ { lang: "en", value: "NVD-CWE-noinfo", }, ], source: "nvd@nist.gov", type: "Primary", }, ], }
Vulnerability from fkie_nvd
Published
2022-06-10 00:15
Modified
2024-11-21 07:03
Severity ?
7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Summary
Guzzle is an open source PHP HTTP client. In affected versions the `Cookie` headers on requests are sensitive information. On making a request using the `https` scheme to a server which responds with a redirect to a URI with the `http` scheme, or on making a request to a server which responds with a redirect to a a URI to a different host, we should not forward the `Cookie` header on. Prior to this fix, only cookies that were managed by our cookie middleware would be safely removed, and any `Cookie` header manually added to the initial request would not be stripped. We now always strip it, and allow the cookie middleware to re-add any cookies that it deems should be there. Affected Guzzle 7 users should upgrade to Guzzle 7.4.4 as soon as possible. Affected users using any earlier series of Guzzle should upgrade to Guzzle 6.5.7 or 7.4.4. Users unable to upgrade may consider an alternative approach to use your own redirect middleware, rather than ours. If you do not require or expect redirects to be followed, one should simply disable redirects all together.
References
Impacted products
{ configurations: [ { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:guzzlephp:guzzle:*:*:*:*:*:*:*:*", matchCriteriaId: "F63E5173-A0D6-407C-A788-895ADEAB54EC", versionEndExcluding: "6.5.7", vulnerable: true, }, { criteria: "cpe:2.3:a:guzzlephp:guzzle:*:*:*:*:*:*:*:*", matchCriteriaId: "0BBBE39B-CF8F-413D-96B6-F9302FC6AB2B", versionEndExcluding: "7.4.4", versionStartIncluding: "7.0.0", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:drupal:drupal:*:*:*:*:*:*:*:*", matchCriteriaId: "B7E40693-C556-4CD4-A1A8-70A65C80F1B8", versionEndExcluding: "9.2.21", versionStartIncluding: "9.2.0", vulnerable: true, }, { criteria: "cpe:2.3:a:drupal:drupal:*:*:*:*:*:*:*:*", matchCriteriaId: "09AEC71B-D785-47C7-91B0-D2E2C2D4FA26", versionEndExcluding: "9.3.16", versionStartIncluding: "9.3.0", vulnerable: true, }, { criteria: "cpe:2.3:a:drupal:drupal:9.4.0:alpha1:*:*:*:*:*:*", matchCriteriaId: "C94ED120-2DCB-421F-8358-3C6C6540F0E4", vulnerable: true, }, { criteria: "cpe:2.3:a:drupal:drupal:9.4.0:beta1:*:*:*:*:*:*", matchCriteriaId: "F1AC8A4E-2B83-4190-8A21-28B1726557F1", vulnerable: true, }, { criteria: "cpe:2.3:a:drupal:drupal:9.4.0:rc1:*:*:*:*:*:*", matchCriteriaId: "92446FF8-9206-4053-8726-612F079B1D39", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:o:debian:debian_linux:11.0:*:*:*:*:*:*:*", matchCriteriaId: "FA6FEEC2-9F11-4643-8827-749718254FED", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, ], cveTags: [], descriptions: [ { lang: "en", value: "Guzzle is an open source PHP HTTP client. In affected versions the `Cookie` headers on requests are sensitive information. On making a request using the `https` scheme to a server which responds with a redirect to a URI with the `http` scheme, or on making a request to a server which responds with a redirect to a a URI to a different host, we should not forward the `Cookie` header on. Prior to this fix, only cookies that were managed by our cookie middleware would be safely removed, and any `Cookie` header manually added to the initial request would not be stripped. We now always strip it, and allow the cookie middleware to re-add any cookies that it deems should be there. Affected Guzzle 7 users should upgrade to Guzzle 7.4.4 as soon as possible. Affected users using any earlier series of Guzzle should upgrade to Guzzle 6.5.7 or 7.4.4. Users unable to upgrade may consider an alternative approach to use your own redirect middleware, rather than ours. If you do not require or expect redirects to be followed, one should simply disable redirects all together.", }, { lang: "es", value: "Guzzle es un cliente PHP HTTP de código abierto. En las versiones afectadas, los encabezados \"Cookie\" de las peticiones son información confidencial. Al hacer una petición usando el esquema \"https\" a un servidor que responde con un redireccionamiento a un URI con el esquema \"http\", o al hacer una petición a un servidor que responde con un redireccionamiento a un URI a un host diferente, no deberíamos reenviar el encabezado \"Cookie\". Antes de esta corrección, sólo las cookies administradas por nuestro middleware de cookies eran eliminadas de forma segura, y cualquier encabezado \"Cookie\" añadida manualmente a la petición inicial no era eliminada. Ahora siempre lo eliminamos, y permitimos que el middleware de cookies vuelva a añadir las cookies que considere que deben estar ahí. Los usuarios de Guzzle 7 afectados deben actualizar a Guzzle versión 7.4.4 lo antes posible. Los usuarios afectados usando cualquier serie anterior de Guzzle deberán actualizar a Guzzle versiones 6.5.7 o 7.4.4. Los usuarios que no puedan actualizar pueden considerar un enfoque alternativo para usar su propio middleware de redireccionamiento, en lugar del nuestro. Si no es requerido o no es esperado que sean seguidas los redireccionamientos, debería simplemente deshabilitar los redireccionamientos por completo", }, ], id: "CVE-2022-31042", lastModified: "2024-11-21T07:03:46.327", metrics: { cvssMetricV2: [ { acInsufInfo: false, baseSeverity: "MEDIUM", cvssData: { accessComplexity: "LOW", accessVector: "NETWORK", authentication: "NONE", availabilityImpact: "NONE", baseScore: 5, confidentialityImpact: "PARTIAL", integrityImpact: "NONE", vectorString: "AV:N/AC:L/Au:N/C:P/I:N/A:N", version: "2.0", }, exploitabilityScore: 10, impactScore: 2.9, obtainAllPrivilege: false, obtainOtherPrivilege: false, obtainUserPrivilege: false, source: "nvd@nist.gov", type: "Primary", userInteractionRequired: false, }, ], cvssMetricV31: [ { cvssData: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 7.5, baseSeverity: "HIGH", confidentialityImpact: "HIGH", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", version: "3.1", }, exploitabilityScore: 3.9, impactScore: 3.6, source: "security-advisories@github.com", type: "Secondary", }, { cvssData: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 7.5, baseSeverity: "HIGH", confidentialityImpact: "HIGH", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", version: "3.1", }, exploitabilityScore: 3.9, impactScore: 3.6, source: "nvd@nist.gov", type: "Primary", }, ], }, published: "2022-06-10T00:15:07.690", references: [ { source: "security-advisories@github.com", tags: [ "Patch", "Third Party Advisory", ], url: "https://github.com/guzzle/guzzle/commit/e3ff079b22820c2029d4c2a87796b6a0b8716ad8", }, { source: "security-advisories@github.com", tags: [ "Third Party Advisory", ], url: "https://github.com/guzzle/guzzle/security/advisories/GHSA-f2wf-25xc-69c9", }, { source: "security-advisories@github.com", tags: [ "Third Party Advisory", ], url: "https://www.debian.org/security/2022/dsa-5246", }, { source: "security-advisories@github.com", tags: [ "Patch", "Third Party Advisory", ], url: "https://www.drupal.org/sa-core-2022-011", }, { source: "security-advisories@github.com", tags: [ "Third Party Advisory", ], url: "https://www.rfc-editor.org/rfc/rfc9110.html#name-redirection-3xx", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Patch", "Third Party Advisory", ], url: "https://github.com/guzzle/guzzle/commit/e3ff079b22820c2029d4c2a87796b6a0b8716ad8", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Third Party Advisory", ], url: "https://github.com/guzzle/guzzle/security/advisories/GHSA-f2wf-25xc-69c9", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Third Party Advisory", ], url: "https://www.debian.org/security/2022/dsa-5246", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Patch", "Third Party Advisory", ], url: "https://www.drupal.org/sa-core-2022-011", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Third Party Advisory", ], url: "https://www.rfc-editor.org/rfc/rfc9110.html#name-redirection-3xx", }, ], sourceIdentifier: "security-advisories@github.com", vulnStatus: "Modified", weaknesses: [ { description: [ { lang: "en", value: "CWE-200", }, ], source: "security-advisories@github.com", type: "Secondary", }, { description: [ { lang: "en", value: "CWE-212", }, ], source: "nvd@nist.gov", type: "Primary", }, ], }
Vulnerability from fkie_nvd
Published
2022-06-10 00:15
Modified
2024-11-21 07:03
Severity ?
7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Summary
Guzzle is an open source PHP HTTP client. In affected versions `Authorization` headers on requests are sensitive information. On making a request using the `https` scheme to a server which responds with a redirect to a URI with the `http` scheme, we should not forward the `Authorization` header on. This is much the same as to how we don't forward on the header if the host changes. Prior to this fix, `https` to `http` downgrades did not result in the `Authorization` header being removed, only changes to the host. Affected Guzzle 7 users should upgrade to Guzzle 7.4.4 as soon as possible. Affected users using any earlier series of Guzzle should upgrade to Guzzle 6.5.7 or 7.4.4. Users unable to upgrade may consider an alternative approach which would be to use their own redirect middleware. Alternately users may simply disable redirects all together if redirects are not expected or required.
References
Impacted products
{ configurations: [ { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:guzzlephp:guzzle:*:*:*:*:*:*:*:*", matchCriteriaId: "F63E5173-A0D6-407C-A788-895ADEAB54EC", versionEndExcluding: "6.5.7", vulnerable: true, }, { criteria: "cpe:2.3:a:guzzlephp:guzzle:*:*:*:*:*:*:*:*", matchCriteriaId: "0BBBE39B-CF8F-413D-96B6-F9302FC6AB2B", versionEndExcluding: "7.4.4", versionStartIncluding: "7.0.0", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:drupal:drupal:*:*:*:*:*:*:*:*", matchCriteriaId: "B7E40693-C556-4CD4-A1A8-70A65C80F1B8", versionEndExcluding: "9.2.21", versionStartIncluding: "9.2.0", vulnerable: true, }, { criteria: "cpe:2.3:a:drupal:drupal:*:*:*:*:*:*:*:*", matchCriteriaId: "09AEC71B-D785-47C7-91B0-D2E2C2D4FA26", versionEndExcluding: "9.3.16", versionStartIncluding: "9.3.0", vulnerable: true, }, { criteria: "cpe:2.3:a:drupal:drupal:9.4.0:alpha1:*:*:*:*:*:*", matchCriteriaId: "C94ED120-2DCB-421F-8358-3C6C6540F0E4", vulnerable: true, }, { criteria: "cpe:2.3:a:drupal:drupal:9.4.0:beta1:*:*:*:*:*:*", matchCriteriaId: "F1AC8A4E-2B83-4190-8A21-28B1726557F1", vulnerable: true, }, { criteria: "cpe:2.3:a:drupal:drupal:9.4.0:rc1:*:*:*:*:*:*", matchCriteriaId: "92446FF8-9206-4053-8726-612F079B1D39", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:o:debian:debian_linux:11.0:*:*:*:*:*:*:*", matchCriteriaId: "FA6FEEC2-9F11-4643-8827-749718254FED", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, ], cveTags: [], descriptions: [ { lang: "en", value: "Guzzle is an open source PHP HTTP client. In affected versions `Authorization` headers on requests are sensitive information. On making a request using the `https` scheme to a server which responds with a redirect to a URI with the `http` scheme, we should not forward the `Authorization` header on. This is much the same as to how we don't forward on the header if the host changes. Prior to this fix, `https` to `http` downgrades did not result in the `Authorization` header being removed, only changes to the host. Affected Guzzle 7 users should upgrade to Guzzle 7.4.4 as soon as possible. Affected users using any earlier series of Guzzle should upgrade to Guzzle 6.5.7 or 7.4.4. Users unable to upgrade may consider an alternative approach which would be to use their own redirect middleware. Alternately users may simply disable redirects all together if redirects are not expected or required.", }, { lang: "es", value: "Guzzle es un cliente PHP HTTP de código abierto. En las versiones afectadas los encabezados \"Authorization\" de las peticiones son información confidencial. Al hacer una petición usando el esquema \"https\" a un servidor que responde con un redireccionamiento a una URI con el esquema \"http\", no deberíamos reenviar el encabezado \"Authorization\". Esto es muy parecido a no reenviar el encabezado si el host cambia. Anterior a esta corrección, las actualizaciones de \"https\" a \"http\" no provocaban la eliminación del encabezado \"Authorization\", sólo los cambios en el host. Los usuarios de Guzzle 7 afectados deben actualizar a Guzzle versión 7.4.4 lo antes posible. Los usuarios afectados usando cualquier serie anterior de Guzzle deberían actualizar a Guzzle versión 6.5.7 o 7.4.4. Los usuarios que no puedan actualizar pueden considerar un enfoque alternativo que sería usar su propio middleware de redireccionamiento. Alternativamente, los usuarios pueden simplemente deshabilitar los redireccionamientos si éstas no son esperadas o requeridas", }, ], id: "CVE-2022-31043", lastModified: "2024-11-21T07:03:46.460", metrics: { cvssMetricV2: [ { acInsufInfo: false, baseSeverity: "MEDIUM", cvssData: { accessComplexity: "LOW", accessVector: "NETWORK", authentication: "NONE", availabilityImpact: "NONE", baseScore: 5, confidentialityImpact: "PARTIAL", integrityImpact: "NONE", vectorString: "AV:N/AC:L/Au:N/C:P/I:N/A:N", version: "2.0", }, exploitabilityScore: 10, impactScore: 2.9, obtainAllPrivilege: false, obtainOtherPrivilege: false, obtainUserPrivilege: false, source: "nvd@nist.gov", type: "Primary", userInteractionRequired: false, }, ], cvssMetricV31: [ { cvssData: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 7.5, baseSeverity: "HIGH", confidentialityImpact: "HIGH", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", version: "3.1", }, exploitabilityScore: 3.9, impactScore: 3.6, source: "security-advisories@github.com", type: "Secondary", }, { cvssData: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 7.5, baseSeverity: "HIGH", confidentialityImpact: "HIGH", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", version: "3.1", }, exploitabilityScore: 3.9, impactScore: 3.6, source: "nvd@nist.gov", type: "Primary", }, ], }, published: "2022-06-10T00:15:07.757", references: [ { source: "security-advisories@github.com", tags: [ "Patch", "Third Party Advisory", ], url: "https://github.com/guzzle/guzzle/commit/e3ff079b22820c2029d4c2a87796b6a0b8716ad8", }, { source: "security-advisories@github.com", tags: [ "Third Party Advisory", ], url: "https://github.com/guzzle/guzzle/security/advisories/GHSA-w248-ffj2-4v5q", }, { source: "security-advisories@github.com", tags: [ "Third Party Advisory", ], url: "https://www.debian.org/security/2022/dsa-5246", }, { source: "security-advisories@github.com", tags: [ "Patch", "Third Party Advisory", ], url: "https://www.drupal.org/sa-core-2022-011", }, { source: "security-advisories@github.com", tags: [ "Third Party Advisory", ], url: "https://www.rfc-editor.org/rfc/rfc9110.html#name-redirection-3xx", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Patch", "Third Party Advisory", ], url: "https://github.com/guzzle/guzzle/commit/e3ff079b22820c2029d4c2a87796b6a0b8716ad8", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Third Party Advisory", ], url: "https://github.com/guzzle/guzzle/security/advisories/GHSA-w248-ffj2-4v5q", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Third Party Advisory", ], url: "https://www.debian.org/security/2022/dsa-5246", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Patch", "Third Party Advisory", ], url: "https://www.drupal.org/sa-core-2022-011", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Third Party Advisory", ], url: "https://www.rfc-editor.org/rfc/rfc9110.html#name-redirection-3xx", }, ], sourceIdentifier: "security-advisories@github.com", vulnStatus: "Modified", weaknesses: [ { description: [ { lang: "en", value: "CWE-200", }, ], source: "security-advisories@github.com", type: "Secondary", }, { description: [ { lang: "en", value: "CWE-212", }, ], source: "nvd@nist.gov", type: "Primary", }, ], }
Vulnerability from fkie_nvd
Published
2022-06-27 22:15
Modified
2024-11-21 07:03
Severity ?
7.7 (High) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N
7.7 (High) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N
7.7 (High) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N
Summary
Guzzle, an extensible PHP HTTP client. `Authorization` headers on requests are sensitive information. In affected versions when using our Curl handler, it is possible to use the `CURLOPT_HTTPAUTH` option to specify an `Authorization` header. On making a request which responds with a redirect to a URI with a different origin (change in host, scheme or port), if we choose to follow it, we should remove the `CURLOPT_HTTPAUTH` option before continuing, stopping curl from appending the `Authorization` header to the new request. Affected Guzzle 7 users should upgrade to Guzzle 7.4.5 as soon as possible. Affected users using any earlier series of Guzzle should upgrade to Guzzle 6.5.8 or 7.4.5. Note that a partial fix was implemented in Guzzle 7.4.2, where a change in host would trigger removal of the curl-added Authorization header, however this earlier fix did not cover change in scheme or change in port. If you do not require or expect redirects to be followed, one should simply disable redirects all together. Alternatively, one can specify to use the Guzzle steam handler backend, rather than curl.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| security-advisories@github.com | https://github.com/guzzle/guzzle/commit/1dd98b0564cb3f6bd16ce683cb755f94c10fbd82 | Patch, Third Party Advisory | |
| security-advisories@github.com | https://github.com/guzzle/guzzle/security/advisories/GHSA-25mq-v84q-4j7r | Mitigation, Third Party Advisory | |
| security-advisories@github.com | https://security.gentoo.org/glsa/202305-24 | Third Party Advisory | |
| security-advisories@github.com | https://www.debian.org/security/2022/dsa-5246 | Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/guzzle/guzzle/commit/1dd98b0564cb3f6bd16ce683cb755f94c10fbd82 | Patch, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/guzzle/guzzle/security/advisories/GHSA-25mq-v84q-4j7r | Mitigation, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://security.gentoo.org/glsa/202305-24 | Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://www.debian.org/security/2022/dsa-5246 | Third Party Advisory |
Impacted products
{ configurations: [ { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:guzzlephp:guzzle:*:*:*:*:*:*:*:*", matchCriteriaId: "3F75AB58-B779-4360-8208-74C0CAE05DF3", versionEndExcluding: "6.5.8", vulnerable: true, }, { criteria: "cpe:2.3:a:guzzlephp:guzzle:*:*:*:*:*:*:*:*", matchCriteriaId: "7633A189-101C-40CA-9EE3-090CE6995E18", versionEndExcluding: "7.4.5", versionStartIncluding: "7.0.0", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:o:debian:debian_linux:11.0:*:*:*:*:*:*:*", matchCriteriaId: "FA6FEEC2-9F11-4643-8827-749718254FED", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, ], cveTags: [], descriptions: [ { lang: "en", value: "Guzzle, an extensible PHP HTTP client. `Authorization` headers on requests are sensitive information. In affected versions when using our Curl handler, it is possible to use the `CURLOPT_HTTPAUTH` option to specify an `Authorization` header. On making a request which responds with a redirect to a URI with a different origin (change in host, scheme or port), if we choose to follow it, we should remove the `CURLOPT_HTTPAUTH` option before continuing, stopping curl from appending the `Authorization` header to the new request. Affected Guzzle 7 users should upgrade to Guzzle 7.4.5 as soon as possible. Affected users using any earlier series of Guzzle should upgrade to Guzzle 6.5.8 or 7.4.5. Note that a partial fix was implemented in Guzzle 7.4.2, where a change in host would trigger removal of the curl-added Authorization header, however this earlier fix did not cover change in scheme or change in port. If you do not require or expect redirects to be followed, one should simply disable redirects all together. Alternatively, one can specify to use the Guzzle steam handler backend, rather than curl.", }, { lang: "es", value: "Guzzle, un cliente PHP HTTP extensible. Los encabezados \"Authorization\" en las peticiones son información confidencial. En las versiones afectadas cuando es usado nuestro manejador Curl, es posible usar la opción \"CURLOPT_HTTPAUTH\" para especificar un encabezado \"Authorization\". Al realizar una petición que responda con un redireccionamiento a una URI con un origen diferente (cambio de host, esquema o puerto), si decidimos seguirla, debemos eliminar la opción \"CURLOPT_HTTPAUTH\" antes de continuar, impidiendo que curl añada el encabezado \"Authorization\" a la nueva petición. Los usuarios de Guzzle 7 afectados deben actualizar a Guzzle versión 7.4.5 lo antes posible. Los usuarios afectados que usen cualquier serie anterior de Guzzle deberían actualizar a Guzzle versiones 6.5.8 o 7.4.5. Tenga en cuenta que en Guzzle versión 7.4.2 fué implementada una corrección parcial, en la que un cambio de host desencadenaba una eliminación del encabezado de autorización añadida por curl, sin embargo esta corrección anterior no cubría el cambio de esquema o el cambio de puerto. Si no necesita o espera que sean seguidos los redireccionamientos, simplemente debería deshabilítalos todos. Alternativamente, puede especificarse el uso del backend de Guzzle steam handler, en lugar de curl", }, ], id: "CVE-2022-31090", lastModified: "2024-11-21T07:03:52.457", metrics: { cvssMetricV2: [ { acInsufInfo: false, baseSeverity: "MEDIUM", cvssData: { accessComplexity: "LOW", accessVector: "NETWORK", authentication: "SINGLE", availabilityImpact: "NONE", baseScore: 4, confidentialityImpact: "PARTIAL", integrityImpact: "NONE", vectorString: "AV:N/AC:L/Au:S/C:P/I:N/A:N", version: "2.0", }, exploitabilityScore: 8, impactScore: 2.9, obtainAllPrivilege: false, obtainOtherPrivilege: false, obtainUserPrivilege: false, source: "nvd@nist.gov", type: "Primary", userInteractionRequired: false, }, ], cvssMetricV31: [ { cvssData: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 7.7, baseSeverity: "HIGH", confidentialityImpact: "HIGH", integrityImpact: "NONE", privilegesRequired: "LOW", scope: "CHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N", version: "3.1", }, exploitabilityScore: 3.1, impactScore: 4, source: "security-advisories@github.com", type: "Secondary", }, { cvssData: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 7.7, baseSeverity: "HIGH", confidentialityImpact: "HIGH", integrityImpact: "NONE", privilegesRequired: "LOW", scope: "CHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N", version: "3.1", }, exploitabilityScore: 3.1, impactScore: 4, source: "nvd@nist.gov", type: "Primary", }, ], }, published: "2022-06-27T22:15:08.873", references: [ { source: "security-advisories@github.com", tags: [ "Patch", "Third Party Advisory", ], url: "https://github.com/guzzle/guzzle/commit/1dd98b0564cb3f6bd16ce683cb755f94c10fbd82", }, { source: "security-advisories@github.com", tags: [ "Mitigation", "Third Party Advisory", ], url: "https://github.com/guzzle/guzzle/security/advisories/GHSA-25mq-v84q-4j7r", }, { source: "security-advisories@github.com", tags: [ "Third Party Advisory", ], url: "https://security.gentoo.org/glsa/202305-24", }, { source: "security-advisories@github.com", tags: [ "Third Party Advisory", ], url: "https://www.debian.org/security/2022/dsa-5246", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Patch", "Third Party Advisory", ], url: "https://github.com/guzzle/guzzle/commit/1dd98b0564cb3f6bd16ce683cb755f94c10fbd82", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Mitigation", "Third Party Advisory", ], url: "https://github.com/guzzle/guzzle/security/advisories/GHSA-25mq-v84q-4j7r", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Third Party Advisory", ], url: "https://security.gentoo.org/glsa/202305-24", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Third Party Advisory", ], url: "https://www.debian.org/security/2022/dsa-5246", }, ], sourceIdentifier: "security-advisories@github.com", vulnStatus: "Modified", weaknesses: [ { description: [ { lang: "en", value: "CWE-200", }, ], source: "security-advisories@github.com", type: "Secondary", }, { description: [ { lang: "en", value: "CWE-212", }, ], source: "nvd@nist.gov", type: "Primary", }, ], }
Vulnerability from fkie_nvd
Published
2022-05-25 18:15
Modified
2024-11-21 06:58
Severity ?
8.0 (High) - CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:N
8.1 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N
8.1 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N
Summary
Guzzle is a PHP HTTP client. Guzzle prior to versions 6.5.6 and 7.4.3 contains a vulnerability with the cookie middleware. The vulnerability is that it is not checked if the cookie domain equals the domain of the server which sets the cookie via the Set-Cookie header, allowing a malicious server to set cookies for unrelated domains. The cookie middleware is disabled by default, so most library consumers will not be affected by this issue. Only those who manually add the cookie middleware to the handler stack or construct the client with ['cookies' => true] are affected. Moreover, those who do not use the same Guzzle client to call multiple domains and have disabled redirect forwarding are not affected by this vulnerability. Guzzle versions 6.5.6 and 7.4.3 contain a patch for this issue. As a workaround, turn off the cookie middleware.
References
Impacted products
{ configurations: [ { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:guzzlephp:guzzle:*:*:*:*:*:*:*:*", matchCriteriaId: "495B0DEA-6E51-454B-B811-47B334CE40A4", versionEndExcluding: "6.5.6", vulnerable: true, }, { criteria: "cpe:2.3:a:guzzlephp:guzzle:*:*:*:*:*:*:*:*", matchCriteriaId: "A8E4017F-35FC-439A-85A4-865F9BE61BDB", versionEndExcluding: "7.4.3", versionStartIncluding: "7.0.0", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:drupal:drupal:*:*:*:*:*:*:*:*", matchCriteriaId: "5C4BD5FB-2B12-4F08-8DED-9BC3EDDCBCFD", versionEndExcluding: "9.2.20", versionStartIncluding: "9.2.0", vulnerable: true, }, { criteria: "cpe:2.3:a:drupal:drupal:*:*:*:*:*:*:*:*", matchCriteriaId: "E1CE8EF9-8C3E-4469-85DC-F516F1C25350", versionEndExcluding: "9.3.14", versionStartIncluding: "9.3.0", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:o:debian:debian_linux:11.0:*:*:*:*:*:*:*", matchCriteriaId: "FA6FEEC2-9F11-4643-8827-749718254FED", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, ], cveTags: [], descriptions: [ { lang: "en", value: "Guzzle is a PHP HTTP client. Guzzle prior to versions 6.5.6 and 7.4.3 contains a vulnerability with the cookie middleware. The vulnerability is that it is not checked if the cookie domain equals the domain of the server which sets the cookie via the Set-Cookie header, allowing a malicious server to set cookies for unrelated domains. The cookie middleware is disabled by default, so most library consumers will not be affected by this issue. Only those who manually add the cookie middleware to the handler stack or construct the client with ['cookies' => true] are affected. Moreover, those who do not use the same Guzzle client to call multiple domains and have disabled redirect forwarding are not affected by this vulnerability. Guzzle versions 6.5.6 and 7.4.3 contain a patch for this issue. As a workaround, turn off the cookie middleware.", }, { lang: "es", value: "Guzzle es un cliente PHP HTTP. Guzzle versiones anteriores a 6.5.6 y 7.4.3, contienen una vulnerabilidad con el middleware de cookies. La vulnerabilidad consiste en que no es comprobado si el dominio de la cookie es igual al dominio del servidor que establece la cookie por medio del encabezado Set-Cookie, lo que permite a un servidor malicioso establecer cookies para dominios no relacionados. El middleware de cookies está deshabilitado por defecto, por lo que la mayoría de los consumidores de la biblioteca no estarán afectados por este problema. Sólo aquellos que añaden manualmente el middleware de cookies a la pila de manejadores o construyen el cliente con [\"cookies\" =) true] están afectados. Además, aquellos que no usen el mismo cliente Guzzle para llamar a múltiples dominios y hayan deshabilitado el reenvío de redirecciones no estarán afectados por esta vulnerabilidad. Guzzle versiones 6.5.6 y 7.4.3, contienen un parche para este problema. Como mitigación, deshabilite el middleware de cookies", }, ], id: "CVE-2022-29248", lastModified: "2024-11-21T06:58:48.170", metrics: { cvssMetricV2: [ { acInsufInfo: false, baseSeverity: "MEDIUM", cvssData: { accessComplexity: "MEDIUM", accessVector: "NETWORK", authentication: "NONE", availabilityImpact: "NONE", baseScore: 5.8, confidentialityImpact: "PARTIAL", integrityImpact: "PARTIAL", vectorString: "AV:N/AC:M/Au:N/C:P/I:P/A:N", version: "2.0", }, exploitabilityScore: 8.6, impactScore: 4.9, obtainAllPrivilege: false, obtainOtherPrivilege: false, obtainUserPrivilege: false, source: "nvd@nist.gov", type: "Primary", userInteractionRequired: true, }, ], cvssMetricV31: [ { cvssData: { attackComplexity: "HIGH", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 8, baseSeverity: "HIGH", confidentialityImpact: "HIGH", integrityImpact: "HIGH", privilegesRequired: "NONE", scope: "CHANGED", userInteraction: "REQUIRED", vectorString: "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:N", version: "3.1", }, exploitabilityScore: 1.6, impactScore: 5.8, source: "security-advisories@github.com", type: "Secondary", }, { cvssData: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 8.1, baseSeverity: "HIGH", confidentialityImpact: "HIGH", integrityImpact: "HIGH", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "REQUIRED", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N", version: "3.1", }, exploitabilityScore: 2.8, impactScore: 5.2, source: "nvd@nist.gov", type: "Primary", }, ], }, published: "2022-05-25T18:15:08.503", references: [ { source: "security-advisories@github.com", tags: [ "Patch", "Third Party Advisory", ], url: "https://github.com/guzzle/guzzle/commit/74a8602c6faec9ef74b7a9391ac82c5e65b1cdab", }, { source: "security-advisories@github.com", tags: [ "Issue Tracking", "Patch", "Third Party Advisory", ], url: "https://github.com/guzzle/guzzle/pull/3018", }, { source: "security-advisories@github.com", tags: [ "Third Party Advisory", ], url: "https://github.com/guzzle/guzzle/security/advisories/GHSA-cwmx-hcrq-mhc3", }, { source: "security-advisories@github.com", tags: [ "Third Party Advisory", ], url: "https://www.debian.org/security/2022/dsa-5246", }, { source: "security-advisories@github.com", tags: [ "Patch", "Third Party Advisory", ], url: "https://www.drupal.org/sa-core-2022-010", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Patch", "Third Party Advisory", ], url: "https://github.com/guzzle/guzzle/commit/74a8602c6faec9ef74b7a9391ac82c5e65b1cdab", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Issue Tracking", "Patch", "Third Party Advisory", ], url: "https://github.com/guzzle/guzzle/pull/3018", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Third Party Advisory", ], url: "https://github.com/guzzle/guzzle/security/advisories/GHSA-cwmx-hcrq-mhc3", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Third Party Advisory", ], url: "https://www.debian.org/security/2022/dsa-5246", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Patch", "Third Party Advisory", ], url: "https://www.drupal.org/sa-core-2022-010", }, ], sourceIdentifier: "security-advisories@github.com", vulnStatus: "Modified", weaknesses: [ { description: [ { lang: "en", value: "CWE-200", }, ], source: "security-advisories@github.com", type: "Secondary", }, { description: [ { lang: "en", value: "CWE-565", }, ], source: "nvd@nist.gov", type: "Primary", }, ], }