CVE-2022-31043Sensitive Information Exposure in Guzzle

CWE-200Sensitive Information ExposureCWE-212Improper Removal of Sensitive Information Before Storage or TransferCWE-863Incorrect Authorization9 documents6 sources
Severity
7.5HIGHNVD
EPSS
1.5%
top 19.16%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
7
GuzzleMediawikiDrupal+4 more
Timeline
PublishedJun 10

Description

Guzzle is an open source PHP HTTP client. In affected versions `Authorization` headers on requests are sensitive information. On making a request using the `https` scheme to a server which responds with a redirect to a URI with the `http` scheme, we should not forward the `Authorization` header on. This is much the same as to how we don't forward on the header if the host changes. Prior to this fix, `https` to `http` downgrades did not result in the `Authorization` header being removed, only cha

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:NExploitability: 3.9 | Impact: 3.6

Affected Packages7 packages

Packagistguzzlehttp/guzzle4.0.06.5.7+1
CVEListV5guzzle/guzzle< 6.5.7+1
NVDguzzlephp/guzzle7.0.07.4.4+1
Debianguzzle/guzzle< 7.4.4-1+2
Packagistdrupal/core8.0.09.2.21+1

Also affects: Debian Linux 11.0

Patches

Patch: github.comPatch: www.drupal.orgPatch: github.com

🔴Vulnerability Details

6
OSV
CVE-2022-31042: *Updated 22:00 UTC 2022-06-10: Added steps to update without `drupal/core-recommended`2022-06-10
OSV
CVE-2022-31043: Guzzle is an open source PHP HTTP client2022-06-10
CVEList
Fix failure to strip Authorization header on HTTP downgrade in Guzzle2022-06-09
GHSA
Fix failure to strip Authorization header on HTTP downgrade2022-06-09
OSV
Failure to strip the Cookie header on change in host or HTTP downgrade2022-06-09

📋Vendor Advisories

2
Drupal
Drupal core - Moderately critical - Third-party libraries - SA-CORE-2022-0112022-06-10
Debian
CVE-2022-31043: guzzle - Guzzle is an open source PHP HTTP client. In affected versions `Authorization` h...2022
CVE-2022-31043 — Sensitive Information Exposure | cvebase