7.7
CVSSv3

CVE-2022-31090

Published: 27/06/2022 Updated: 21/11/2024

Vulnerability Summary

Guzzle, an extensible PHP HTTP client. `Authorization` headers on requests are sensitive information. In affected versions when using our Curl handler, it is possible to use the `CURLOPT_HTTPAUTH` option to specify an `Authorization` header. On making a request which responds with a redirect to a URI with a different origin (change in host, scheme or port), if we choose to follow it, we should remove the `CURLOPT_HTTPAUTH` option before continuing, stopping curl from appending the `Authorization` header to the new request. Affected Guzzle 7 users should upgrade to Guzzle 7.4.5 as soon as possible. Affected users using any earlier series of Guzzle should upgrade to Guzzle 6.5.8 or 7.4.5. Note that a partial fix was implemented in Guzzle 7.4.2, where a change in host would trigger removal of the curl-added Authorization header, however this earlier fix did not cover change in scheme or change in port. If you do not require or expect redirects to be followed, one should simply disable redirects all together. Alternatively, one can specify to use the Guzzle steam handler backend, rather than curl.

Vulnerability Trend

Vulnerable Product Search on Vulmon Subscribe to Product

guzzlephp guzzle

debian debian linux 11.0

Vendor Advisories

Debian Bug report logs - #1014492 guzzle: CVE-2022-31090 CVE-2022-31091 Package: src:guzzle; Maintainer for src:guzzle is Katharina Drexel <katharinadrexel@bfhch>; Reported by: Moritz Mühlenhoff <jmm@inutilorg> Date: Wed, 6 Jul 2022 21:06:02 UTC Severity: grave Tags: security, upstream Reply or subscribe t ...
Multiple security issues were discovered in MediaWiki, a website engine for collaborative work, which could result in restriction bypass, information leaks, cross-site scripting or denial of service For the stable distribution (bullseye), these problems have been fixed in version 1:1358-1~deb11u1 We recommend that you upgrade your mediawiki pac ...
Severity Unknown Remote Unknown Type Unknown Description AVG-2823 mediawiki 1382-1 1383-1 Unknown Fixed githubcom/guzzle/guzzle/security/advisories/GHSA-25mq-v84q-4j7r githubcom/guzzle/g ...