CVE-2022-29248
Cross-domain cookie leakage in Guzzle
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
0Exploited in Wild
-Decision
Descriptions
Guzzle is a PHP HTTP client. Guzzle prior to versions 6.5.6 and 7.4.3 contains a vulnerability with the cookie middleware. The vulnerability is that it is not checked if the cookie domain equals the domain of the server which sets the cookie via the Set-Cookie header, allowing a malicious server to set cookies for unrelated domains. The cookie middleware is disabled by default, so most library consumers will not be affected by this issue. Only those who manually add the cookie middleware to the handler stack or construct the client with ['cookies' => true] are affected. Moreover, those who do not use the same Guzzle client to call multiple domains and have disabled redirect forwarding are not affected by this vulnerability. Guzzle versions 6.5.6 and 7.4.3 contain a patch for this issue. As a workaround, turn off the cookie middleware.
Guzzle es un cliente PHP HTTP. Guzzle versiones anteriores a 6.5.6 y 7.4.3, contienen una vulnerabilidad con el middleware de cookies. La vulnerabilidad consiste en que no es comprobado si el dominio de la cookie es igual al dominio del servidor que establece la cookie por medio del encabezado Set-Cookie, lo que permite a un servidor malicioso establecer cookies para dominios no relacionados. El middleware de cookies está deshabilitado por defecto, por lo que la mayoría de los consumidores de la biblioteca no estarán afectados por este problema. Sólo aquellos que añaden manualmente el middleware de cookies a la pila de manejadores o construyen el cliente con ["cookies" =) true] están afectados. Además, aquellos que no usen el mismo cliente Guzzle para llamar a múltiples dominios y hayan deshabilitado el reenvío de redirecciones no estarán afectados por esta vulnerabilidad. Guzzle versiones 6.5.6 y 7.4.3, contienen un parche para este problema. Como mitigación, deshabilite el middleware de cookies
CVSS Scores
SSVC
- Decision:-
Timeline
- 2022-04-13 CVE Reserved
- 2022-05-25 CVE Published
- 2024-08-03 CVE Updated
- 2024-08-16 EPSS Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
- ---------- First Exploit
CWE
- CWE-200: Exposure of Sensitive Information to an Unauthorized Actor
- CWE-565: Reliance on Cookies without Validation and Integrity Checking
CAPEC
References (5)
| URL | Tag | Source |
|---|---|---|
| https://github.com/guzzle/guzzle/security/advisories/GHSA-cwmx-hcrq-mhc3 | Third Party Advisory |
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|---|---|
| https://github.com/guzzle/guzzle/commit/74a8602c6faec9ef74b7a9391ac82c5e65b1cdab | 2023-07-21 | |
| https://github.com/guzzle/guzzle/pull/3018 | 2023-07-21 | |
| https://www.drupal.org/sa-core-2022-010 | 2023-07-21 |
| URL | Date | SRC |
|---|---|---|
| https://www.debian.org/security/2022/dsa-5246 | 2023-07-21 |
Affected Vendors, Products, and Versions
| Vendor | Product | Version | Other | Status | ||||||
|---|---|---|---|---|---|---|---|---|---|---|
| Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
| Guzzlephp Search vendor "Guzzlephp" | Guzzle Search vendor "Guzzlephp" for product "Guzzle" | < 6.5.6 Search vendor "Guzzlephp" for product "Guzzle" and version " < 6.5.6" | - |
Affected
| ||||||
| Guzzlephp Search vendor "Guzzlephp" | Guzzle Search vendor "Guzzlephp" for product "Guzzle" | >= 7.0.0 < 7.4.3 Search vendor "Guzzlephp" for product "Guzzle" and version " >= 7.0.0 < 7.4.3" | - |
Affected
| ||||||
| Drupal Search vendor "Drupal" | Drupal Search vendor "Drupal" for product "Drupal" | >= 9.2.0 < 9.2.20 Search vendor "Drupal" for product "Drupal" and version " >= 9.2.0 < 9.2.20" | - |
Affected
| ||||||
| Drupal Search vendor "Drupal" | Drupal Search vendor "Drupal" for product "Drupal" | >= 9.3.0 < 9.3.14 Search vendor "Drupal" for product "Drupal" and version " >= 9.3.0 < 9.3.14" | - |
Affected
| ||||||
| Debian Search vendor "Debian" | Debian Linux Search vendor "Debian" for product "Debian Linux" | 11.0 Search vendor "Debian" for product "Debian Linux" and version "11.0" | - |
Affected
| ||||||