Veracode Vulnerability DatabaseVERACODE:36181Information Disclosure
7.7 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
CHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N
4 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
SINGLE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
AV:N/AC:L/Au:S/C:P/I:N/A:N
0.001 Low
EPSS
Percentile
25.0%
guzzlehttp/guzzle is vulnerable to information disclosure. The vulnerability exists in serveral functions in RedirectMiddleware.php because the change in port is not considered a change in origin when sending requests with header files which allows an attacker to gain access to sensitive header information.
References
advisories.gitlab.com/advisory/advpackagist_guzzlehttp_guzzle_GMS_2022_2529.html
github.com/guzzle/guzzle/commit/1dd98b0564cb3f6bd16ce683cb755f94c10fbd82
github.com/guzzle/guzzle/commit/a52f0440530b54fa079ce76e8c5d196a42cad981
github.com/guzzle/guzzle/pull/3042
github.com/guzzle/guzzle/pull/3043
github.com/guzzle/guzzle/security/advisories/GHSA-q559-8m2m-g699
security.gentoo.org/glsa/202305-24
www.debian.org/security/2022/dsa-5246
www.rfc-editor.org/rfc/rfc9110.html#name-redirection-3xx
Related
7.7 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
CHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N
4 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
SINGLE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
AV:N/AC:L/Au:S/C:P/I:N/A:N
0.001 Low
EPSS
Percentile
25.0%