7.7 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
CHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N
4 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
SINGLE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
AV:N/AC:L/Au:S/C:P/I:N/A:N
0.001 Low
EPSS
Percentile
44.0%
Guzzle, an extensible PHP HTTP client. Authorization
and Cookie
headers
on requests are sensitive information. In affected versions on making a
request which responds with a redirect to a URI with a different port, if
we choose to follow it, we should remove the Authorization
and Cookie
headers from the request, before containing. Previously, we would only
consider a change in host or scheme. Affected Guzzle 7 users should upgrade
to Guzzle 7.4.5 as soon as possible. Affected users using any earlier
series of Guzzle should upgrade to Guzzle 6.5.8 or 7.4.5. Note that a
partial fix was implemented in Guzzle 7.4.2, where a change in host would
trigger removal of the curl-added Authorization header, however this
earlier fix did not cover change in scheme or change in port. An
alternative approach would be to use your own redirect middleware, rather
than ours, if you are unable to upgrade. If you do not require or expect
redirects to be followed, one should simply disable redirects all together.
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-31091
github.com/guzzle/guzzle/commit/1dd98b0564cb3f6bd16ce683cb755f94c10fbd82
github.com/guzzle/guzzle/commit/1dd98b0564cb3f6bd16ce683cb755f94c10fbd82 (7.4.5)
github.com/guzzle/guzzle/security/advisories/GHSA-q559-8m2m-g699
launchpad.net/bugs/cve/CVE-2022-31091
nvd.nist.gov/vuln/detail/CVE-2022-31091
security-tracker.debian.org/tracker/CVE-2022-31091
7.7 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
CHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N
4 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
SINGLE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
AV:N/AC:L/Au:S/C:P/I:N/A:N
0.001 Low
EPSS
Percentile
44.0%