PT-2022-3247 · Guzzle +1 · Guzzle +1

Published

2022-06-09

·

Updated

2025-08-12

·

CVE-2022-31042

Report an issue
CVSS v2.0
7.8
VectorAV:N/AC:L/Au:N/C:C/I:N/A:N

Name of the Vulnerable Software and Affected Versions:

Guzzle versions prior to 6.5.7

Guzzle versions prior to 7.4.4

Description:

The `Cookie` headers on requests are sensitive information. When making a request using the `https` scheme to a server that responds with a redirect to a URI with the `http` scheme, or when making a request to a server that responds with a redirect to a URI on a different host, the `Cookie` header should not be forwarded. Prior to the fix, only cookies managed by the cookie middleware were safely removed, while any manually added `Cookie` headers were not stripped. The issue allows a remote attacker to disclose protected information.

Recommendations:

For Guzzle versions prior to 6.5.7, upgrade to Guzzle 6.5.7 as soon as possible.

For Guzzle versions prior to 7.4.4, upgrade to Guzzle 7.4.4 as soon as possible.

If you are unable to upgrade, consider using your own redirect middleware instead of the default one.

If you do not require or expect redirects to be followed, simply disable redirects altogether.

Exploit

Fix

Improperly Implemented Security Check for Standard

Incorrect Authorization

Information Disclosure

Weakness Enumeration

CWE-212CWE-358CWE-863CWE-200

Related Identifiers

BDU:2022-03942
BDU:2022-03953
BIT-DRUPAL-2022-31042
CVE-2022-31042
DSA-5246-1
GHSA-F2WF-25XC-69C9
MGASA-2022-0338

Affected Products

Guzzle
Red Os