Vulnerability Details : CVE-2022-29248

Guzzle is a PHP HTTP client. Guzzle prior to versions 6.5.6 and 7.4.3 contains a vulnerability with the cookie middleware. The vulnerability is that it is not checked if the cookie domain equals the domain of the server which sets the cookie via the Set-Cookie header, allowing a malicious server to set cookies for unrelated domains. The cookie middleware is disabled by default, so most library consumers will not be affected by this issue. Only those who manually add the cookie middleware to the handler stack or construct the client with ['cookies' => true] are affected. Moreover, those who do not use the same Guzzle client to call multiple domains and have disabled redirect forwarding are not affected by this vulnerability. Guzzle versions 6.5.6 and 7.4.3 contain a patch for this issue. As a workaround, turn off the cookie middleware.

Vulnerability category: Information leak

Published 2022-05-25 18:15:09

Updated 2023-07-21 16:54:50

Source GitHub, Inc.

View at NVD, CVE.org

Exploit prediction scoring system (EPSS) score for CVE-2022-29248

Probability of exploitation activity in the next 30 days: 0.18%

Percentile, the proportion of vulnerabilities that are scored at or less: ~ 54 % EPSS Score History EPSS FAQ

CVSS scores for CVE-2022-29248

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Source
5.8	MEDIUM	AV:N/AC:M/Au:N/C:P/I:P/A:N	8.6	4.9	[email protected]
Access Vector: Network Access Complexity: Medium Authentication: None Confidentiality Impact: Partial Integrity Impact: Partial Availability Impact: None
8.1	HIGH	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N	2.8	5.2	[email protected]
Attack Vector: Network Attack Complexity: Low Privileges Required: None User Interaction: Required Scope: Unchanged Confidentiality: High Integrity: High Availability: None
8.0	HIGH	CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:N	1.6	5.8	[email protected]
Attack Vector: Network Attack Complexity: High Privileges Required: None User Interaction: Required Scope: Changed Confidentiality: High Integrity: High Availability: None

CWE ids for CVE-2022-29248

CWE-200 Exposure of Sensitive Information to an Unauthorized Actor

The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.

Assigned by: [email protected] (Secondary)
CWE-565 Reliance on Cookies without Validation and Integrity Checking

The product relies on the existence or values of cookies when performing security-critical operations, but it does not properly ensure that the setting is valid for the associated user.

Assigned by: [email protected] (Primary)

References for CVE-2022-29248

https://github.com/guzzle/guzzle/pull/3018

Issue Tracking;Patch;Third Party Advisory
https://github.com/guzzle/guzzle/security/advisories/GHSA-cwmx-hcrq-mhc3

Third Party Advisory
https://www.debian.org/security/2022/dsa-5246

Third Party Advisory

CVEs referencing this url
https://github.com/guzzle/guzzle/commit/74a8602c6faec9ef74b7a9391ac82c5e65b1cdab

Patch;Third Party Advisory
https://www.drupal.org/sa-core-2022-010

Patch;Third Party Advisory

Products affected by CVE-2022-29248

Debian » Debian Linux » Version: 11.0
cpe:2.3:o:debian:debian_linux:11.0:*:*:*:*:*:*:*
Matching versions
Drupal » Drupal
Versions from including (>=) 9.2.0 and before (<) 9.2.20
cpe:2.3:a:drupal:drupal:*:*:*:*:*:*:*:*
Matching versions
Drupal » Drupal
Versions from including (>=) 9.3.0 and before (<) 9.3.14
cpe:2.3:a:drupal:drupal:*:*:*:*:*:*:*:*
Matching versions
Guzzlephp » Guzzle
Versions before (<) 6.5.6
cpe:2.3:a:guzzlephp:guzzle:*:*:*:*:*:*:*:*
Matching versions
Guzzlephp » Guzzle
Versions from including (>=) 7.0.0 and before (<) 7.4.3
cpe:2.3:a:guzzlephp:guzzle:*:*:*:*:*:*:*:*
Matching versions