Lucene search

Https://gitlab.com/gitlab-org/security-products/gemnasium-dbGITLAB-38D0446928822A0190A6908C7BF3AB02

HistoryMay 15, 2024 - 12:00 a.m.

amphp/http-client Header leakage on cross-domain redirects

2024-05-1500:00:00

https://gitlab.com/gitlab-org/security-products/gemnasium-db

gitlab.com

amphp/http-client

cross-domain redirects

header leakage

security weakness

request headers

redirected host

software

7 High

AI Score

Confidence

Low

JSON

amphp/http-client has a security weakness that might leak sensitive request headers from the initial request to the redirected host on cross-domain redirects, which were not removed correctly. Message::setHeaders does not replace the entire set of headers, but only operates on the headers matching the given array keys.

Affected configurations

Vulners

Node

packagisthttp-clientRange4.0.0≥

packagisthttp-clientRange<4.4.0

CPENameOperatorVersion
packagist/amphp/http-clientge4.0.0
packagist/amphp/http-clientlt4.4.0

CPE	Name	Operator	Version
	packagist/amphp/http-client	ge	4.0.0
	packagist/amphp/http-client	lt	4.4.0

References

github.com/advisories/GHSA-8jp9-mpv9-98rj

github.com/amphp/http-client

github.com/amphp/http-client/commit/fa7925363e6d5a0d0d337e2e6eb1affb93cf226e

github.com/amphp/http-client/releases/tag/v4.4.0

github.com/FriendsOfPHP/security-advisories/blob/master/amphp/http-client/2020-06-16.yaml

7 High

AI Score

Confidence

Low

JSON