Mend.io Vulnerability Database

What is a CVE vulnerability ID? icon What is a WS vulnerability ID? icon What is an MSC vulnerability ID? icon
New vulnerability? Tell us about it!
icon

We found results for “

CVE-2022-31043

Good to know:

icon

Date: June 9, 2022

Guzzle is an open source PHP HTTP client. In affected versions `Authorization` headers on requests are sensitive information. On making a request using the `https` scheme to a server which responds with a redirect to a URI with the `http` scheme, we should not forward the `Authorization` header on. This is much the same as to how we don't forward on the header if the host changes. Prior to this fix, `https` to `http` downgrades did not result in the `Authorization` header being removed, only changes to the host. Affected Guzzle 7 users should upgrade to Guzzle 7.4.4 as soon as possible. Affected users using any earlier series of Guzzle should upgrade to Guzzle 6.5.7 or 7.4.4. Users unable to upgrade may consider an alternative approach which would be to use their own redirect middleware. Alternately users may simply disable redirects all together if redirects are not expected or required.

Language: PHP

Severity Score

Related Resources (8)

https://security-tracker.debian.org/tracker/CVE-2022-31043
https://nvd.nist.gov/vuln/detail/CVE-2022-31043
https://www.drupal.org/sa-core-2022-011
https://www.debian.org/security/2022/dsa-5246
https://www.rfc-editor.org/rfc/rfc9110.html#name-redirection-3xx
https://github.com/guzzle/guzzle/security/advisories/GHSA-w248-ffj2-4v5q
https://github.com/guzzle/guzzle/commit/e3ff079b22820c2029d4c2a87796b6a0b8716ad8
https://www.mend.io/vulnerability-database/CVE-2022-31043

Severity Score

Weakness Type (CWE)

Information Leak / Disclosure

CWE-200

Improper Removal of Sensitive Information Before Storage or Transfer

CWE-212

Incorrect Authorization

CWE-863

Top Fix

icon

Upgrade Version

Upgrade to version 6.5.7,7.4.4

Learn More

CVSS v3.1

Base Score:
Attack Vector (AV): NETWORK
Attack Complexity (AC): LOW
Privileges Required (PR): NONE
User Interaction (UI): NONE
Scope (S): UNCHANGED
Confidentiality (C): HIGH
Integrity (I): NONE
Availability (A): NONE

CVSS v2

Base Score:
Access Vector (AV): NETWORK
Access Complexity (AC): LOW
Authentication (AU): NONE
Confidentiality (C): PARTIAL
Integrity (I): NONE
Availability (A): NONE
Additional information:

Do you need more information?

Contact Us