CVE-2022-24775 — Improper Input Validation in Psr7

CWE-20 — Improper Input Validation9 documents7 sources

Severity

7.5HIGHNVD

EPSS

0.9%

top 23.82%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Guzzle Psr7 Drupal Guzzlephp Psr-7 +2 more

Timeline

PublishedMar 21

Latest updateFeb 29

Description

guzzlehttp/psr7 is a PSR-7 HTTP message library. Versions prior to 1.8.4 and 2.1.1 are vulnerable to improper header parsing. An attacker could sneak in a new line character and pass untrusted values. The issue is patched in 1.8.4 and 2.1.1. There are currently no known workarounds.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:NExploitability: 3.9 | Impact: 3.6

Affected Packages5 packages

▶Packagistguzzlehttp/psr72.0.0 — 2.1.1+1

▶CVEListV5guzzle/psr7< 1.9.1+3

▶Packagistdrupal/core8.0.0 — 9.2.16+1

▶NVDdrupal/drupal8.0.0 — 9.2.16+1

▶NVDguzzlephp/psr-72.0.0 — 2.1.1+1

Patches

Patch: github.com ↗Patch: github.com ↗Patch: www.drupal.org ↗

🔴Vulnerability Details

GHSA

Improper Input Validation in guzzlehttp/psr7↗2022-03-25

▶

OSV

Improper Input Validation in guzzlehttp/psr7↗2022-03-25

▶

OSV

CVE-2022-24775: Drupal uses the third-party Guzzle library for handling HTTP requests and responses to external services↗2022-03-21

▶

OSV

CVE-2022-24775: guzzlehttp/psr7 is a PSR-7 HTTP message library↗2022-03-21

▶

CVEList

Improper Input Validation in guzzlehttp/psr7↗2022-03-21

▶

📋Vendor Advisories

Ubuntu

php-guzzlehttp-psr7 vulnerabilities↗2024-02-29

▶

Drupal

Drupal core - Moderately critical - Third-party libraries - SA-CORE-2022-006↗2022-03-21

▶

Debian

CVE-2022-24775: php-guzzlehttp-psr7 - guzzlehttp/psr7 is a PSR-7 HTTP message library. Versions prior to 1.8.4 and 2.1...↗2022

▶