CVE-2022-29248

CWE-200Information ExposureCWE-5658 documents6 sources
Severity
8.1HIGH
EPSS
0.6%
top 29.53%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
6
Guzzle GuzzleDrupal DrupalGuzzlephp Guzzle+3 more
Timeline
PublishedMay 25

Description

Guzzle is a PHP HTTP client. Guzzle prior to versions 6.5.6 and 7.4.3 contains a vulnerability with the cookie middleware. The vulnerability is that it is not checked if the cookie domain equals the domain of the server which sets the cookie via the Set-Cookie header, allowing a malicious server to set cookies for unrelated domains. The cookie middleware is disabled by default, so most library consumers will not be affected by this issue. Only those who manually add the cookie middleware to the

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:NExploitability: 1.6 | Impact: 5.8

Affected Packages7 packages

Packagistguzzlehttp/guzzle7.0.07.4.3+1
CVEListV5guzzle/guzzle< 6.5.6+1
NVDguzzlephp/guzzle7.0.07.4.3+1
Debianguzzle< 7.4.4-1+2
Packagistdrupal/core8.0.09.2.20+1

Also affects: Debian Linux 11.0

Patches

Patch: github.comPatch: github.comPatch: www.drupal.org

🔴Vulnerability Details

5
OSV
Cross-domain cookie leakage in Guzzle2022-05-25
OSV
CVE-2022-29248: Drupal uses the third-party Guzzle library for handling HTTP requests and responses to external services2022-05-25
CVEList
Cross-domain cookie leakage in Guzzle2022-05-25
GHSA
Cross-domain cookie leakage in Guzzle2022-05-25
OSV
CVE-2022-29248: Guzzle is a PHP HTTP client2022-05-25

📋Vendor Advisories

2
Drupal
Drupal core - Moderately critical - Third-party libraries - SA-CORE-2022-0102022-05-25
Debian
CVE-2022-29248: guzzle - Guzzle is a PHP HTTP client. Guzzle prior to versions 6.5.6 and 7.4.3 contains a...2022
CVE-2022-29248 (HIGH CVSS 8.1) | Guzzle is a PHP HTTP client | cvebase.io