8.1 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N
5.8 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:M/Au:N/C:P/I:P/A:N
0.002 Low
EPSS
Percentile
60.7%
Guzzle is a PHP HTTP client. Guzzle prior to versions 6.5.6 and 7.4.3
contains a vulnerability with the cookie middleware. The vulnerability is
that it is not checked if the cookie domain equals the domain of the server
which sets the cookie via the Set-Cookie header, allowing a malicious
server to set cookies for unrelated domains. The cookie middleware is
disabled by default, so most library consumers will not be affected by this
issue. Only those who manually add the cookie middleware to the handler
stack or construct the client with [‘cookies’ => true] are affected.
Moreover, those who do not use the same Guzzle client to call multiple
domains and have disabled redirect forwarding are not affected by this
vulnerability. Guzzle versions 6.5.6 and 7.4.3 contain a patch for this
issue. As a workaround, turn off the cookie middleware.
github.com/guzzle/guzzle/commit/74a8602c6faec9ef74b7a9391ac82c5e65b1cdab
github.com/guzzle/guzzle/pull/3018
github.com/guzzle/guzzle/security/advisories/GHSA-cwmx-hcrq-mhc3
launchpad.net/bugs/cve/CVE-2022-29248
nvd.nist.gov/vuln/detail/CVE-2022-29248
security-tracker.debian.org/tracker/CVE-2022-29248
www.cve.org/CVERecord?id=CVE-2022-29248
www.drupal.org/sa-core-2022-010
8.1 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N
5.8 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:M/Au:N/C:P/I:P/A:N
0.002 Low
EPSS
Percentile
60.7%