CVE-2023-29197

2023-04-1722:15:09

Debian Security Bug Tracker

security-tracker.debian.org

guzzlehttp/psr7

http message library

improper header parsing

newline insertion

security vulnerability

fixed versions

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:L/Au:N/C:N/I:P/A:N

CVSS3

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

EPSS

0.003

Percentile

69.9%

JSON

guzzlehttp/psr7 is a PSR-7 HTTP message library implementation in PHP. Affected versions are subject to improper header parsing. An attacker could sneak in a newline (\n) into both the header names and values. While the specification states that \r\n\r\n is used to terminate the header list, many servers in the wild will also accept \n\n. This is a follow-up to CVE-2022-24775 where the fix was incomplete. The issue has been patched in versions 1.9.1 and 2.4.5. There are no known workarounds for this vulnerability. Users are advised to upgrade.

OSVersionArchitecturePackageVersionFilename
Debian12allphp-guzzlehttp-psr7< 2.4.5-1php-guzzlehttp-psr7_2.4.5-1_all.deb
Debian11allphp-guzzlehttp-psr7< 1.7.0-1+deb11u2php-guzzlehttp-psr7_1.7.0-1+deb11u2_all.deb
Debian999allphp-guzzlehttp-psr7< 2.4.5-1php-guzzlehttp-psr7_2.4.5-1_all.deb
Debian13allphp-guzzlehttp-psr7< 2.4.5-1php-guzzlehttp-psr7_2.4.5-1_all.deb
Debian12allphp-nyholm-psr7< 1.5.1-2php-nyholm-psr7_1.5.1-2_all.deb
Debian11allphp-nyholm-psr7< 1.3.2-2+deb11u1php-nyholm-psr7_1.3.2-2+deb11u1_all.deb
Debian999allphp-nyholm-psr7< 1.5.1-2php-nyholm-psr7_1.5.1-2_all.deb
Debian13allphp-nyholm-psr7< 1.5.1-2php-nyholm-psr7_1.5.1-2_all.deb

OS	Version	Architecture	Package	Version	Filename
Debian	12	all	php-guzzlehttp-psr7	< 2.4.5-1	php-guzzlehttp-psr7_2.4.5-1_all.deb
Debian	11	all	php-guzzlehttp-psr7	< 1.7.0-1+deb11u2	php-guzzlehttp-psr7_1.7.0-1+deb11u2_all.deb
Debian	999	all	php-guzzlehttp-psr7	< 2.4.5-1	php-guzzlehttp-psr7_2.4.5-1_all.deb
Debian	13	all	php-guzzlehttp-psr7	< 2.4.5-1	php-guzzlehttp-psr7_2.4.5-1_all.deb
Debian	12	all	php-nyholm-psr7	< 1.5.1-2	php-nyholm-psr7_1.5.1-2_all.deb
Debian	11	all	php-nyholm-psr7	< 1.3.2-2+deb11u1	php-nyholm-psr7_1.3.2-2+deb11u1_all.deb
Debian	999	all	php-nyholm-psr7	< 1.5.1-2	php-nyholm-psr7_1.5.1-2_all.deb
Debian	13	all	php-nyholm-psr7	< 1.5.1-2	php-nyholm-psr7_1.5.1-2_all.deb