5 Medium
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:L/Au:N/C:N/I:P/A:N
7.5 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
HIGH
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
6.8 Medium
AI Score
Confidence
High
0.003 Low
EPSS
Percentile
65.6%
guzzlehttp/psr7 is a PSR-7 HTTP message library implementation in PHP.
Affected versions are subject to improper header parsing. An attacker could
sneak in a newline (\n) into both the header names and values. While the
specification states that \r\n\r\n is used to terminate the header list,
many servers in the wild will also accept \n\n. This is a follow-up to
CVE-2022-24775 where the fix was incomplete. The issue has been patched in
versions 1.9.1 and 2.4.5. There are no known workarounds for this
vulnerability. Users are advised to upgrade.
Author | Note |
---|---|
gianz | php-guzzlehttp-psr7 Version 1.4.2 requires refactoring of core functions to be fixed. Same story for php-nyholm-psr7 version 1.2.1. Applying the patches to this version is likely to cause regressions. |
OS | Version | Architecture | Package | Version | Filename |
---|---|---|---|---|---|
ubuntu | 20.04 | noarch | php-guzzlehttp-psr7 | < 1.4.2-0.1+deb10u2build0.20.04.1 | UNKNOWN |
ubuntu | 22.04 | noarch | php-guzzlehttp-psr7 | < 1.8.3-1ubuntu0.1~esm1 | UNKNOWN |
ubuntu | 22.04 | noarch | php-nyholm-psr7 | < 1.5.0-1ubuntu0.1~esm1 | UNKNOWN |
cve.mitre.org/cgi-bin/cvename.cgi?name=2022-24775
github.com/guzzle/psr7/commit/0454e12ef0cd597ccd2adb036f7bda4e7fface66 (2.4.5)
github.com/guzzle/psr7/security/advisories/GHSA-q7rv-6hp3-vh96
github.com/guzzle/psr7/security/advisories/GHSA-wxmh-65f7-jcvw
github.com/Nyholm/psr7/commit/1029a2671cbdd3e075a21952082c2be7c8018426 (1.6.1)
github.com/Nyholm/psr7/security/advisories/GHSA-wjfc-pgfp-pv9c
launchpad.net/bugs/cve/CVE-2023-29197
nvd.nist.gov/vuln/detail/CVE-2023-29197
security-tracker.debian.org/tracker/CVE-2023-29197
ubuntu.com/security/notices/USN-6670-1
ubuntu.com/security/notices/USN-6671-1
www.cve.org/CVERecord?id=CVE-2023-29197
www.rfc-editor.org/rfc/rfc7230#section-3.2.4
5 Medium
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:L/Au:N/C:N/I:P/A:N
7.5 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
HIGH
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
6.8 Medium
AI Score
Confidence
High
0.003 Low
EPSS
Percentile
65.6%