CVE-2022-24775
published 2022-03-21CVE-2022-24775: guzzlehttp/psr7 is a PSR-7 HTTP message library. Versions prior to 1.8.4 and 2.1.1 are vulnerable to improper header parsing. An attacker could sneak in a new…
PriorityP342high7.5CVSS 3.1
AVNACLPRNUINSUCNIHAN
EPSS
2.38%
81.8th percentile
guzzlehttp/psr7 is a PSR-7 HTTP message library. Versions prior to 1.8.4 and 2.1.1 are vulnerable to improper header parsing. An attacker could sneak in a new line character and pass untrusted values. The issue is patched in 1.8.4 and 2.1.1. There are currently no known workarounds.
Affected
18 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | php-guzzlehttp-psr7 | < php-guzzlehttp-psr7 2.4.5-1 (bookworm) | php-guzzlehttp-psr7 2.4.5-1 (bookworm) |
| debian | php-guzzlehttp-psr7 | < php-guzzlehttp-psr7 1.8.5-1 (bookworm) | php-guzzlehttp-psr7 1.8.5-1 (bookworm) |
| debian | php-nyholm-psr7 | < php-guzzlehttp-psr7 2.4.5-1 (bookworm) | php-guzzlehttp-psr7 2.4.5-1 (bookworm) |
| drupal | core | >= 8.0.0 < 9.2.16 | 9.2.16 |
| drupal | core | >= 9.3.0 < 9.3.9 | 9.3.9 |
| drupal | drupal | >= 8.0.0 < 9.2.16 | 9.2.16 |
| drupal | drupal | >= 9.3.0 < 9.3.9 | 9.3.9 |
| drupal | drupal_core | — | — |
| fedoraproject | fedora | — | — |
| fedoraproject | fedora | — | — |
| guzzle | psr7 | < 1.9.1 | 1.9.1 |
| guzzle | psr7 | — | — |
| guzzlehttp | psr7 | >= 0 < 1.8.4 | 1.8.4 |
| guzzlehttp | psr7 | >= 2.0.0 < 2.1.1 | 2.1.1 |
| guzzlephp | psr-7 | < 1.8.4 | 1.8.4 |
| guzzlephp | psr-7 | < 1.9.1 | 1.9.1 |
| guzzlephp | psr-7 | >= 2.0.0 < 2.1.1 | 2.1.1 |
| guzzlephp | psr-7 | >= 2.0.0 < 2.4.5 | 2.4.5 |
CVSS provenance
nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:N/I:P/A:N
osv7.5HIGH
vendor_debian7.5HIGH
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
CVE-2023-29197: guzzlehttp/psr7 is a PSR-7 HTTP message library implementation in PHP
osv·2023-04-17·CVSS 7.5
CVE-2023-29197 [HIGH] CVE-2023-29197: guzzlehttp/psr7 is a PSR-7 HTTP message library implementation in PHP
guzzlehttp/psr7 is a PSR-7 HTTP message library implementation in PHP. Affected versions are subject to improper header parsing. An attacker could sneak in a newline (\n) into both the header names and values. While the specification states that \r\n\r\n is used to terminate the header list, many servers in the wild will also accept \n\n. This is a follow-up to CVE-2022-24775 where the fix was incomplete. The issue has been patched in versions 1.9.1 and 2.4.5. There are no known workarounds for this vulnerability. Users are advised to upgrade.
GHSA
Improper Input Validation in guzzlehttp/psr7
ghsa·2022-03-25
CVE-2022-24775 [MEDIUM] CWE-20 Improper Input Validation in guzzlehttp/psr7
Improper Input Validation in guzzlehttp/psr7
### Impact
Improper header parsing. An attacker could sneak in a carriage return character (`\r`) and pass untrusted values in both the header names and values.
### Patches
The issue is patched in 1.8.4 and 2.1.1.
### Workarounds
There are no known workarounds.
### References
* https://www.rfc-editor.org/rfc/rfc7230#section-3.2.4
OSV
Improper Input Validation in guzzlehttp/psr7
osv·2022-03-25
CVE-2022-24775 [MEDIUM] Improper Input Validation in guzzlehttp/psr7
Improper Input Validation in guzzlehttp/psr7
### Impact
Improper header parsing. An attacker could sneak in a carriage return character (`\r`) and pass untrusted values in both the header names and values.
### Patches
The issue is patched in 1.8.4 and 2.1.1.
### Workarounds
There are no known workarounds.
### References
* https://www.rfc-editor.org/rfc/rfc7230#section-3.2.4
OSV
CVE-2022-24775: Drupal uses the third-party Guzzle library for handling HTTP requests and responses to external services
osv·2022-03-21
CVE-2022-24775 CVE-2022-24775: Drupal uses the third-party Guzzle library for handling HTTP requests and responses to external services
Drupal uses the third-party Guzzle library for handling HTTP requests and responses to external services. [Guzzle has released a security update](https://github.com/guzzle/psr7/security/advisories/GHSA-q7rv-6hp3-vh96) which may affect some Drupal sites.
We are issuing this security advisory outside our regular [Drupal security release window schedule](https://www.drupal.org/node/1173280) since Guzzle has already published information about the vulnerability, and vulnerabilities might exist with core, contributed modules, or custom modules that use Guzzle for outgoing requests. Guzzle has rated this vulnerability as low-risk.
This advisory is not covered by Drupal Steward.
OSV
CVE-2022-24775: guzzlehttp/psr7 is a PSR-7 HTTP message library
osv·2022-03-21·CVSS 7.5
CVE-2022-24775 [HIGH] CVE-2022-24775: guzzlehttp/psr7 is a PSR-7 HTTP message library
guzzlehttp/psr7 is a PSR-7 HTTP message library. Versions prior to 1.8.4 and 2.1.1 are vulnerable to improper header parsing. An attacker could sneak in a new line character and pass untrusted values. The issue is patched in 1.8.4 and 2.1.1. There are currently no known workarounds.
Ubuntu
php-guzzlehttp-psr7 vulnerabilities
vendor_ubuntu·2024-02-29
CVE-2023-29197 php-guzzlehttp-psr7 vulnerabilities
Title: php-guzzlehttp-psr7 vulnerabilities
Summary: Several header injection issues were fixed in php-guzzlehttp-psr7.
It was discovered that php-guzzlehttp-psr7 incorrectly parsed HTTP
headers. A remote attacker could possibly use these issues to perform
an HTTP header injection attack.
Instructions: In general, a standard system update will make all the necessary changes.
Debian
CVE-2023-29197: php-guzzlehttp-psr7 - guzzlehttp/psr7 is a PSR-7 HTTP message library implementation in PHP. Affected ...
vendor_debian·2023·CVSS 7.5
CVE-2023-29197 [HIGH] CVE-2023-29197: php-guzzlehttp-psr7 - guzzlehttp/psr7 is a PSR-7 HTTP message library implementation in PHP. Affected ...
guzzlehttp/psr7 is a PSR-7 HTTP message library implementation in PHP. Affected versions are subject to improper header parsing. An attacker could sneak in a newline (\n) into both the header names and values. While the specification states that \r\n\r\n is used to terminate the header list, many servers in the wild will also accept \n\n. This is a follow-up to CVE-2022-24775 where the fix was incomplete. The issue has been patched in versions 1.9.1 and 2.4.5. There are no known workarounds for this vulnerability. Users are advised to upgrade.
Scope: local
bookworm: resolved (fixed in 2.4.5-1)
bullseye: resolved (fixed in 1.7.0-1+deb11u2)
forky: resolved (fixed in 2.4.5-1)
sid: resolved (fixed in 2.4.5-1)
trixie: resolved (fixed in 2.4.5-1)
Drupal
Drupal core - Moderately critical - Third-party libraries - SA-CORE-2022-006
vendor_drupal·2022-03-21
CVE-2022-24775 [MEDIUM] Drupal core - Moderately critical - Third-party libraries - SA-CORE-2022-006
Title: Drupal core - Moderately critical - Third-party libraries - SA-CORE-2022-006
Vulnerability Type: Third-party libraries
Description: Drupal uses the third-party Guzzle library for handling HTTP requests and responses to external services. Guzzle has released a security update which may affect some Drupal sites. We are issuing this security advisory outside our regular Drupal security release window schedule since Guzzle has already published information about the vulnerability, and vulnerabilities might exist with core, contributed modules, or custom modules that use Guzzle for outgoing requests. Guzzle has rated this vulnerability as low-risk. This advisory is not covered by Drupal Steward.
Solution: Install the latest version: If you are using Drupal 9.3, update to Drupal 9.3.9
Debian
CVE-2022-24775: php-guzzlehttp-psr7 - guzzlehttp/psr7 is a PSR-7 HTTP message library. Versions prior to 1.8.4 and 2.1...
vendor_debian·2022·CVSS 7.5
CVE-2022-24775 [HIGH] CVE-2022-24775: php-guzzlehttp-psr7 - guzzlehttp/psr7 is a PSR-7 HTTP message library. Versions prior to 1.8.4 and 2.1...
guzzlehttp/psr7 is a PSR-7 HTTP message library. Versions prior to 1.8.4 and 2.1.1 are vulnerable to improper header parsing. An attacker could sneak in a new line character and pass untrusted values. The issue is patched in 1.8.4 and 2.1.1. There are currently no known workarounds.
Scope: local
bookworm: resolved (fixed in 1.8.5-1)
bullseye: resolved (fixed in 1.7.0-1+deb11u1)
forky: resolved (fixed in 1.8.5-1)
sid: resolved (fixed in 1.8.5-1)
trixie: resolved (fixed in 1.8.5-1)
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
https://github.com/guzzle/psr7/pull/485/commits/e55afaa3fc138c89adf3b55a8ba20dc60d17f1f1https://github.com/guzzle/psr7/pull/486/commits/9a96d9db668b485361ed9de7b5bf1e54895df1dchttps://github.com/guzzle/psr7/security/advisories/GHSA-q7rv-6hp3-vh96https://www.drupal.org/sa-core-2022-006https://github.com/guzzle/psr7/pull/485/commits/e55afaa3fc138c89adf3b55a8ba20dc60d17f1f1https://github.com/guzzle/psr7/pull/486/commits/9a96d9db668b485361ed9de7b5bf1e54895df1dchttps://github.com/guzzle/psr7/security/advisories/GHSA-q7rv-6hp3-vh96https://www.drupal.org/sa-core-2022-006
2022-03-21
Published