cbcvebase.
CVE-2022-24775
published 2022-03-21

CVE-2022-24775: guzzlehttp/psr7 is a PSR-7 HTTP message library. Versions prior to 1.8.4 and 2.1.1 are vulnerable to improper header parsing. An attacker could sneak in a new…

PriorityP342high7.5CVSS 3.1
AVNACLPRNUINSUCNIHAN
EPSS
2.38%
81.8th percentile
guzzlehttp/psr7 is a PSR-7 HTTP message library. Versions prior to 1.8.4 and 2.1.1 are vulnerable to improper header parsing. An attacker could sneak in a new line character and pass untrusted values. The issue is patched in 1.8.4 and 2.1.1. There are currently no known workarounds.

Affected

18 ranges
VendorProductVersion rangeFixed in
debianphp-guzzlehttp-psr7< php-guzzlehttp-psr7 2.4.5-1 (bookworm)php-guzzlehttp-psr7 2.4.5-1 (bookworm)
debianphp-guzzlehttp-psr7< php-guzzlehttp-psr7 1.8.5-1 (bookworm)php-guzzlehttp-psr7 1.8.5-1 (bookworm)
debianphp-nyholm-psr7< php-guzzlehttp-psr7 2.4.5-1 (bookworm)php-guzzlehttp-psr7 2.4.5-1 (bookworm)
drupalcore>= 8.0.0 < 9.2.169.2.16
drupalcore>= 9.3.0 < 9.3.99.3.9
drupaldrupal>= 8.0.0 < 9.2.169.2.16
drupaldrupal>= 9.3.0 < 9.3.99.3.9
drupaldrupal_core
fedoraprojectfedora
fedoraprojectfedora
guzzlepsr7< 1.9.11.9.1
guzzlepsr7
guzzlehttppsr7>= 0 < 1.8.41.8.4
guzzlehttppsr7>= 2.0.0 < 2.1.12.1.1
guzzlephppsr-7< 1.8.41.8.4
guzzlephppsr-7< 1.9.11.9.1
guzzlephppsr-7>= 2.0.0 < 2.1.12.1.1
guzzlephppsr-7>= 2.0.0 < 2.4.52.4.5

CVSS provenance

nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:N/I:P/A:N
osv7.5HIGH
vendor_debian7.5HIGH
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.