Guzzlehttp Guzzle vulnerabilities

6 known vulnerabilities affecting guzzlehttp/guzzle.

Total CVEs

6

CISA KEV

0

Public exploits

0

Exploited in wild

0

Severity breakdown

HIGH4MEDIUM2

Vulnerabilities

Page 1 of 1

CVE-2022-31091MEDIUMCVSS 6.5≥ 0, < 6.5.8≥ 7.0.0, < 7.4.52022-06-21

CVE-2022-31091 [MEDIUM] CWE-200 Change in port should be considered a change in origin Change in port should be considered a change in origin ### Impact `Authorization` and `Cookie` headers on requests are sensitive information. On making a request which responds with a redirect to a URI with a different port, if we choose to follow it, we should remove the `Authorization` and `Cookie` headers from the request, before containing. Previously, we would only consider a change in host or scheme do

CVE-2022-31090MEDIUMCVSS 6.5≥ 0, < 6.5.8≥ 7.0.0, < 7.4.52022-06-21

CVE-2022-31090 [MEDIUM] CWE-200 CURLOPT_HTTPAUTH option not cleared on change of origin CURLOPT_HTTPAUTH option not cleared on change of origin ### Impact `Authorization` headers on requests are sensitive information. When using our Curl handler, it is possible to use the `CURLOPT_HTTPAUTH` option to specify an `Authorization` header. On making a request which responds with a redirect to a URI with a different origin, if we choose to follow it, we should remove the `CURLOPT_HTTPAUTH` and `CURL

CVE-2022-31042HIGH≥ 4.0.0, < 6.5.7≥ 7.0.0, < 7.4.42022-06-09

CVE-2022-31042 [HIGH] CWE-200 Failure to strip the Cookie header on change in host or HTTP downgrade Failure to strip the Cookie header on change in host or HTTP downgrade ### Impact `Cookie` headers on requests are sensitive information. On making a request using the `https` scheme to a server which responds with a redirect to a URI with the `http` scheme, or on making a request to a server which responds with a redirect to a a URI to a different host, we should not forward the `Cookie` heade

CVE-2022-31043HIGH≥ 4.0.0, < 6.5.7≥ 7.0.0, < 7.4.42022-06-09

CVE-2022-31043 [HIGH] CWE-200 Fix failure to strip Authorization header on HTTP downgrade Fix failure to strip Authorization header on HTTP downgrade ### Impact `Authorization` headers on requests are sensitive information. On making a request using the `https` scheme to a server which responds with a redirect to a URI with the `http` scheme, we should not forward the `Authorization` header on. This is much the same as to how we don't forward on the header if the host changes. Prior to this fi

CVE-2022-29248HIGH≥ 0, < 6.5.6≥ 7.0.0, < 7.4.32022-05-25

CVE-2022-29248 [HIGH] CWE-200 Cross-domain cookie leakage in Guzzle Cross-domain cookie leakage in Guzzle ### Impact Previous version of Guzzle contain a vulnerability with the cookie middleware. The vulnerability is that it is not checked if the cookie domain equals the domain of the server which sets the cookie via the `Set-Cookie` header, allowing a malicious server to set cookies for unrelated domains. For example an attacker at `www.example.com` might set a session cookie for `api.example

CVE-2016-5385HIGH≥ 6, < 6.2.1≥ 4.0.0-rc2, < 4.2.4+1 more2022-04-07

CVE-2016-5385 [HIGH] HTTP Proxy header vulnerability HTTP Proxy header vulnerability PHP through 7.0.8 does not attempt to address RFC 3875 section 4.1.18 namespace conflicts and therefore does not protect applications from the presence of untrusted client data in the HTTP_PROXY environment variable, which might allow remote attackers to redirect an application's outbound HTTP traffic to an arbitrary proxy server via a crafted Proxy header in an HTTP request, as demonstrated by (1) an applicati