CVE-2022-29248

Name of the Vulnerable Software and Affected Versions Guzzle versions prior to 6.5.6 and 7.4.3

Description The issue is related to the cookie middleware in Guzzle, a PHP HTTP client. It does not check if the cookie domain equals the domain of the server that sets the cookie via the Set-Cookie header, allowing a malicious server to set cookies for unrelated domains. This affects users who manually add the cookie middleware to the handler stack or construct the client with ['cookies' => true]. Users who do not use the same Guzzle client to call multiple domains and have disabled redirect forwarding are not affected.

Recommendations For versions prior to 6.5.6, upgrade to version 6.5.6. For versions prior to 7.4.3, upgrade to version 7.4.3. As a temporary workaround, consider turning off the cookie middleware.