5.3 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
LOW
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
5 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:L/Au:N/C:N/I:P/A:N
0.001 Low
EPSS
Percentile
36.1%
ReactPHP HTTP is a streaming HTTP client and server implementation for
ReactPHP. In ReactPHP’s HTTP server component versions starting with 0.7.0
and prior to 1.7.0, when ReactPHP is processing incoming HTTP cookie
values, the cookie names are url-decoded. This may lead to cookies with
prefixes like __Host-
and __Secure-
confused with cookies that decode
to such prefix, thus leading to an attacker being able to forge cookie
which is supposed to be secure. This issue is fixed in ReactPHP HTTP
version 1.7.0. As a workaround, Infrastructure or DevOps can place a
reverse proxy in front of the ReactPHP HTTP server to filter out any
unexpected Cookie
request headers.
Author | Note |
---|---|
alexmurray | icinga-php-thirdparty and icingaweb2-module-reactbundle both vendor a copy of reactphp/http |
github.com/reactphp/http/commit/663c9a3b77b71463fa7fcb76a6676ffd16979dd6
github.com/reactphp/http/pull/175
github.com/reactphp/http/releases/tag/v1.7.0
github.com/reactphp/http/security/advisories/GHSA-w3w9-vrf5-8mx8
launchpad.net/bugs/cve/CVE-2022-36032
nvd.nist.gov/vuln/detail/CVE-2022-36032
security-tracker.debian.org/tracker/CVE-2022-36032
www.cve.org/CVERecord?id=CVE-2022-36032
5.3 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
LOW
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
5 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:L/Au:N/C:N/I:P/A:N
0.001 Low
EPSS
Percentile
36.1%