GHSA-W3W9-VRF5-8MX8

Vulnerability from github – Published: 2022-09-16 18:48 – Updated: 2022-09-16 18:48
VLAI?
Summary
ReactPHP's HTTP server parses encoded cookie names so malicious `__Host-` and `__Secure-` cookies can be sent
Details

Impact

In ReactPHP's HTTP server component versions below v1.7.0, when ReactPHP is processing incoming HTTP cookie values, the cookie names are url-decoded. This may lead to cookies with prefixes like __Host- and __Secure- confused with cookies that decode to such prefix, thus leading to an attacker being able to forge cookie which is supposed to be secure. See also CVE-2020-7070 and CVE-2020-8184 for more information.

Patches

  • https://github.com/reactphp/http/commit/663c9a3b77b71463fa7fcb76a6676ffd16979dd6 - Fixed in reactphp/http v1.7.0

Workarounds

Infrastructure or DevOps can place a reverse proxy in front of the ReactPHP HTTP server to filter out any unexpected Cookie request headers.

References

  • CVE-2020-7070, https://bugs.php.net/bug.php?id=79699 and https://github.com/php/php-src/commit/6559fe912661ca5ce5f0eeeb591d928451428ed0
  • CVE-2020-8184, https://hackerone.com/reports/895727 and https://github.com/rack/rack/commit/1f5763de6a9fe515ff84992b343d63c88104654c
  • Originally introduced via https://github.com/reactphp/http/pull/175

Credits

  • Thanks to Marco Squarcina (TU Wien) for reporting this and working with us to coordinate this security advisory

For more information

If you have any questions or comments about this advisory:

Severity ?
5.3 (Medium)
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Show details on source website
To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "react/http"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0.7.0"
            },
            {
              "fixed": "1.7.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2022-36032"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-20",
      "CWE-565"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2022-09-16T18:48:53Z",
    "nvd_published_at": "2022-09-06T19:15:00Z",
    "severity": "MODERATE"
  },
  "details": "### Impact\n\nIn ReactPHP\u0027s HTTP server component versions below v1.7.0, when ReactPHP is processing incoming HTTP cookie values, the cookie names are url-decoded. This may lead to cookies with prefixes like `__Host-` and `__Secure-` confused with cookies that decode to such prefix, thus leading to an attacker being able to forge cookie which is supposed to be secure. See also CVE-2020-7070 and CVE-2020-8184 for more information. \n\n### Patches\n\n* https://github.com/reactphp/http/commit/663c9a3b77b71463fa7fcb76a6676ffd16979dd6 - Fixed in [reactphp/http `v1.7.0`](https://github.com/reactphp/http/releases/tag/v1.7.0)\n\n### Workarounds\n\nInfrastructure or DevOps can place a reverse proxy in front of the ReactPHP HTTP server to filter out any unexpected `Cookie` request headers.\n\n### References\n\n* CVE-2020-7070, https://bugs.php.net/bug.php?id=79699 and https://github.com/php/php-src/commit/6559fe912661ca5ce5f0eeeb591d928451428ed0\n* CVE-2020-8184, https://hackerone.com/reports/895727 and https://github.com/rack/rack/commit/1f5763de6a9fe515ff84992b343d63c88104654c\n* Originally introduced via https://github.com/reactphp/http/pull/175\n\n### Credits\n\n* Thanks to Marco Squarcina (TU Wien) for reporting this and working with us to coordinate this security advisory\n\n### For more information\n\nIf you have any questions or comments about this advisory:\n\n* [Join the discussion](https://github.com/orgs/reactphp/discussions/465)\n* Email us at support@reactphp.org\n",
  "id": "GHSA-w3w9-vrf5-8mx8",
  "modified": "2022-09-16T18:48:53Z",
  "published": "2022-09-16T18:48:53Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/reactphp/http/security/advisories/GHSA-w3w9-vrf5-8mx8"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-36032"
    },
    {
      "type": "WEB",
      "url": "https://github.com/reactphp/http/pull/175"
    },
    {
      "type": "WEB",
      "url": "https://github.com/reactphp/http/commit/663c9a3b77b71463fa7fcb76a6676ffd16979dd6"
    },
    {
      "type": "WEB",
      "url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/react/http/CVE-2022-36032.yaml"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/reactphp/http"
    },
    {
      "type": "WEB",
      "url": "https://github.com/reactphp/http/releases/tag/v1.7.0"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "ReactPHP\u0027s HTTP server parses encoded cookie names so malicious `__Host-` and `__Secure-` cookies can be sent"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.