Vulmon Recent Vulnerabilities Research Posts Trends Blog About Contact
7.5
CVSSv3

CVE-2022-31043

Published: 10/06/2022 Updated: 24/07/2023
CVSS v2 Base Score: 5 | Impact Score: 2.9 | Exploitability Score: 10
CVSS v3 Base Score: 7.5 | Impact Score: 3.6 | Exploitability Score: 3.9
VMScore: 445
Vector: AV:N/AC:L/Au:N/C:P/I:N/A:N
Subscribe to Guzzlephp

Vulnerability Summary

Guzzle is an open source PHP HTTP client. In affected versions `Authorization` headers on requests are sensitive information. On making a request using the `https` scheme to a server which responds with a redirect to a URI with the `http` scheme, we should not forward the `Authorization` header on. This is much the same as to how we don't forward on the header if the host changes. Prior to this fix, `https` to `http` downgrades did not result in the `Authorization` header being removed, only changes to the host. Affected Guzzle 7 users should upgrade to Guzzle 7.4.4 as soon as possible. Affected users using any earlier series of Guzzle should upgrade to Guzzle 6.5.7 or 7.4.4. Users unable to upgrade may consider an alternative approach which would be to use their own redirect middleware. Alternately users may simply disable redirects all together if redirects are not expected or required.

Vulnerability Trend

Vulnerable Product Search on Vulmon Subscribe to Product

guzzlephp guzzle

drupal drupal

drupal drupal 9.4.0

debian debian linux 11.0

Vendor Advisories

Debian CVElist Bug Report Logs: guzzle: CVE-2022-31042 CVE-2022-31043
Debian Bug report logs - #1012821 guzzle: CVE-2022-31042 CVE-2022-31043 Package: src:guzzle; Maintainer for src:guzzle is Katharina Drexel <katharinadrexel@bfhch>; Reported by: Salvatore Bonaccorso <carnil@debianorg> Date: Tue, 14 Jun 2022 20:15:02 UTC Severity: grave Tags: security, upstream Found in version guz ...
Debian Security Advisories: DSA-5246-1 mediawiki -- security update
Multiple security issues were discovered in MediaWiki, a website engine for collaborative work, which could result in restriction bypass, information leaks, cross-site scripting or denial of service For the stable distribution (bullseye), these problems have been fixed in version 1:1358-1~deb11u1 We recommend that you upgrade your mediawiki pac ...
Arch Linux Issues:
Severity Unknown Remote Unknown Type Unknown Description AVG-2823 mediawiki 1382-1 1383-1 Unknown Fixed githubcom/guzzle/guzzle/security/advisories/GHSA-w248-ffj2-4v5q githubcom/guzzle/g ...

References

CWE-212https://github.com/guzzle/guzzle/security/advisories/GHSA-w248-ffj2-4v5qhttps://github.com/guzzle/guzzle/commit/e3ff079b22820c2029d4c2a87796b6a0b8716ad8https://www.rfc-editor.org/rfc/rfc9110.html#name-redirection-3xxhttps://www.drupal.org/sa-core-2022-011https://www.debian.org/security/2022/dsa-5246https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1012821https://www.debian.org/security/2022/dsa-5246https://nvd.nist.gov
CVSSv3
CVSSv2
CVSSv3
VMScore
Recommendations:
CVE-2022-38028CVE-2024-32406CVE-2024-25624IMAPCVE-2024-2310CVE-2024-0874CVE-2024-20359XXEremote code execution
Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook