CVE-2022-31090

EUVD-2022-5884
Guzzle, an extensible PHP HTTP client. `Authorization` headers on requests are sensitive information. In affected versions when using our Curl handler, it is possible to use the `CURLOPT_HTTPAUTH` option to specify an `Authorization` header. On making a request which responds with a redirect to a URI with a different origin (change in host, scheme or port), if we choose to follow it, we should remove the `CURLOPT_HTTPAUTH` option before continuing, stopping curl from appending the `Authorization` header to the new request. Affected Guzzle 7 users should upgrade to Guzzle 7.4.5 as soon as possible. Affected users using any earlier series of Guzzle should upgrade to Guzzle 6.5.8 or 7.4.5. Note that a partial fix was implemented in Guzzle 7.4.2, where a change in host would trigger removal of the curl-added Authorization header, however this earlier fix did not cover change in scheme or change in port. If you do not require or expect redirects to be followed, one should simply disable redirects all together. Alternatively, one can specify to use the Guzzle steam handler backend, rather than curl.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
7.7 HIGH
NETWORK
LOW
LOW
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N
GitHub_MCNA
7.7 HIGH
NETWORK
LOW
LOW
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N
Base Score
CVSS 3.x
EPSS Score
Percentile: 86%
Affected Products (NVD)
VendorProductVersion
guzzlephpguzzle
𝑥
< 6.5.8
guzzlephpguzzle
7.0.0 ≤
𝑥
< 7.4.5
debiandebian_linux
11.0
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
guzzle
bookworm
7.4.5-1
fixed
buster
not-affected
sid
7.4.5-1
fixed
trixie
7.4.5-1
fixed
mediawiki
bookworm
1:1.39.7-1~deb12u1
fixed
bookworm (security)
1:1.39.10-1~deb12u1
fixed
bullseye
1:1.35.13-1+deb11u2
fixed
bullseye (security)
1:1.35.13-1+deb11u3
fixed
buster
not-affected
sid
1:1.39.10-1
fixed
trixie
1:1.39.10-1
fixed
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
civicrm
bionic
needs-triage
focal
needs-triage
impish
ignored
jammy
needs-triage
kinetic
ignored
lunar
dne
mantic
dne
noble
dne
trusty
dne
xenial
needs-triage
guzzle
bionic
dne
focal
dne
impish
dne
jammy
dne
kinetic
ignored
lunar
not-affected
mantic
not-affected
noble
not-affected
trusty
dne
xenial
dne
icinga-php-thirdparty
bionic
dne
focal
dne
impish
dne
jammy
needs-triage
kinetic
ignored
lunar
ignored
mantic
ignored
noble
needs-triage
trusty
dne
xenial
dne
icingaweb2-module-reactbundle
bionic
dne
focal
dne
impish
ignored
jammy
needs-triage
kinetic
ignored
lunar
ignored
mantic
ignored
noble
needs-triage
trusty
dne
xenial
dne
mediawiki
bionic
needs-triage
focal
needs-triage
impish
ignored
jammy
needs-triage
kinetic
not-affected
lunar
not-affected
mantic
not-affected
noble
not-affected
trusty
ignored
xenial
dne
Common Weakness Enumeration
References
https://github.com/guzzle/guzzle/commit/1dd98b0564cb3f6bd16ce683cb755f94c10fbd82
https://github.com/guzzle/guzzle/security/advisories/GHSA-25mq-v84q-4j7r
https://security.gentoo.org/glsa/202305-24
https://www.debian.org/security/2022/dsa-5246
https://github.com/guzzle/guzzle/commit/1dd98b0564cb3f6bd16ce683cb755f94c10fbd82
https://github.com/guzzle/guzzle/security/advisories/GHSA-25mq-v84q-4j7r
https://security.gentoo.org/glsa/202305-24
https://www.debian.org/security/2022/dsa-5246