PT-2022-7278 · Guzzle+2 · Guzzlehttp/Psr7+2

Damien Mckenna

Published

2022-02-10

Updated

2024-03-06

CVE-2022-24775

CVSS v2.0

7.8

High

Vector

AV:N/AC:L/Au:N/C:N/I:C/A:N

Name of the Vulnerable Software and Affected Versions guzzlehttp/psr7 versions prior to 1.8.4 and 2.1.1

Description The issue is related to improper header parsing in the guzzlehttp/psr7 library. An attacker could sneak in a new line character and pass untrusted values in both the header names and values. This could potentially allow a remote attacker to impact the integrity of protected information.

Recommendations For versions prior to 1.8.4, update to version 1.8.4 or later. For versions prior to 2.1.1, update to version 2.1.1 or later. As a temporary workaround, consider validating HTTP header keys and/or values, and if using user-supplied values, filter them to strip off leading or trailing newline characters before calling withHeader().

Exploit

Fix

RCE

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-20CWE-436

Related Identifiers

BDU:2024-01894

BIT-DRUPAL-2022-24775

CVE-2022-24775

DLA-3705-1

DRUPAL-CORE-2022-006

GHSA-Q7RV-6HP3-VH96

GHSA-WXMH-65F7-JCVW

GHSA-XV3H-4844-9H36

USN-6670-1

Affected Products

Linuxmint

Ubuntu

Guzzlehttp/Psr7

PT-2022-7278 · Guzzle+2 · Guzzlehttp/Psr7+2

CVE-2022-24775

Weakness Enumeration

Related Identifiers

Affected Products

References · 44