CVE-2022-31091

CWE-200Information Exposure6 documents5 sources
Severity
7.7HIGH
EPSS
0.3%
top 43.26%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
4
Guzzle GuzzleGuzzlephp GuzzleGuzzlehttp Guzzle+1 more
Timeline
PublishedJun 27

Description

Guzzle, an extensible PHP HTTP client. `Authorization` and `Cookie` headers on requests are sensitive information. In affected versions on making a request which responds with a redirect to a URI with a different port, if we choose to follow it, we should remove the `Authorization` and `Cookie` headers from the request, before containing. Previously, we would only consider a change in host or scheme. Affected Guzzle 7 users should upgrade to Guzzle 7.4.5 as soon as possible. Affected users using

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:NExploitability: 3.1 | Impact: 4.0

Affected Packages5 packages

Packagistguzzlehttp/guzzle7.0.07.4.5+1
CVEListV5guzzle/guzzle< 6.5.8+1
NVDguzzlephp/guzzle7.0.07.4.5+1
Debianguzzle< 7.4.5-1+2
Debianmediawiki< 1:1.35.8-1~deb11u1+3

Also affects: Debian Linux 11.0

Patches

Patch: github.comPatch: github.com

🔴Vulnerability Details

4
OSV
CVE-2022-31091: Guzzle, an extensible PHP HTTP client2022-06-27
CVEList
Change in port should be considered a change in origin in Guzzle2022-06-27
GHSA
Change in port should be considered a change in origin2022-06-21
OSV
Change in port should be considered a change in origin2022-06-21

📋Vendor Advisories

1
Debian
CVE-2022-31091: guzzle - Guzzle, an extensible PHP HTTP client. `Authorization` and `Cookie` headers on r...2022
CVE-2022-31091 (HIGH CVSS 7.7) | cvebase.io