7.5 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
5 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
AV:N/AC:L/Au:N/C:P/I:N/A:N
0.002 Low
EPSS
Percentile
60.4%
Updated 22:00 UTC 2022-06-10: Added steps to update without drupal/core-recommended. Drupal uses the third-party Guzzle library for handling HTTP requests and responses to external services. Guzzle has released two security advisories: Failure to strip the Cookie header on change in host or HTTP downgrade Fix failure to strip Authorization header on HTTP downgrade These do not affect Drupal core, but may affect some contributed projects or custom code on Drupal sites. We are issuing this security advisory outside our regular Drupal security release window schedule since Guzzle has already published information about the vulnerabilities, and vulnerabilities might exist in contributed modules or custom modules that use Guzzle for outgoing requests. Guzzle has rated these vulnerabilities as high-risk. This advisory is not covered by Drupal Steward.
github.com/guzzle/guzzle/security/advisories/GHSA-f2wf-25xc-69c9
github.com/guzzle/guzzle/security/advisories/GHSA-w248-ffj2-4v5q
www.drupal.org/docs/develop/using-composer/manage-dependencies#s-moving-from-drupalcore-recommended-to-drupalcore
www.drupal.org/node/1173280
www.drupal.org/node/3268032
www.drupal.org/project/drupal/releases/9.2.21
www.drupal.org/project/drupal/releases/9.3.16
www.drupal.org/project/drupal/releases/9.4.0-rc2
www.drupal.org/psa-2021-06-29
www.drupal.org/user/102818
www.drupal.org/user/108450
www.drupal.org/user/1507580
www.drupal.org/user/17943
www.drupal.org/user/1850070
www.drupal.org/user/2228934
www.drupal.org/user/246492
www.drupal.org/user/3513564
www.drupal.org/user/65776
www.drupal.org/user/683300
7.5 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
5 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
AV:N/AC:L/Au:N/C:P/I:N/A:N
0.002 Low
EPSS
Percentile
60.4%