Vulnerability Details : CVE-2022-29248
Guzzle is a PHP HTTP client. Guzzle prior to versions 6.5.6 and 7.4.3 contains a vulnerability with the cookie middleware. The vulnerability is that it is not checked if the cookie domain equals the domain of the server which sets the cookie via the Set-Cookie header, allowing a malicious server to set cookies for unrelated domains. The cookie middleware is disabled by default, so most library consumers will not be affected by this issue. Only those who manually add the cookie middleware to the handler stack or construct the client with ['cookies' => true] are affected. Moreover, those who do not use the same Guzzle client to call multiple domains and have disabled redirect forwarding are not affected by this vulnerability. Guzzle versions 6.5.6 and 7.4.3 contain a patch for this issue. As a workaround, turn off the cookie middleware.
Vulnerability category: Information leak
Products affected by CVE-2022-29248
- cpe:2.3:o:debian:debian_linux:11.0:*:*:*:*:*:*:*
- cpe:2.3:a:drupal:drupal:*:*:*:*:*:*:*:*
- cpe:2.3:a:drupal:drupal:*:*:*:*:*:*:*:*
- cpe:2.3:a:guzzlephp:guzzle:*:*:*:*:*:*:*:*
- cpe:2.3:a:guzzlephp:guzzle:*:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2022-29248
0.34%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 54 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2022-29248
| Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
|---|---|---|---|---|---|---|
|
5.8
|
MEDIUM | AV:N/AC:M/Au:N/C:P/I:P/A:N |
8.6
|
4.9
|
NIST | |
|
8.1
|
HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N |
2.8
|
5.2
|
NIST | |
|
8.0
|
HIGH | CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:N |
1.6
|
5.8
|
GitHub, Inc. |
CWE ids for CVE-2022-29248
-
The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.Assigned by: security-advisories@github.com (Secondary)
-
The product relies on the existence or values of cookies when performing security-critical operations, but it does not properly ensure that the setting is valid for the associated user.Assigned by: nvd@nist.gov (Primary)
References for CVE-2022-29248
-
https://github.com/guzzle/guzzle/pull/3018
[7.x] Fix cross-domain cookie leakage by GrahamCampbell · Pull Request #3018 · guzzle/guzzle · GitHubIssue Tracking;Patch;Third Party Advisory
-
https://github.com/guzzle/guzzle/security/advisories/GHSA-cwmx-hcrq-mhc3
Cross-domain cookie leakage · Advisory · guzzle/guzzle · GitHubThird Party Advisory
-
https://www.debian.org/security/2022/dsa-5246
Debian -- Security Information -- DSA-5246-1 mediawikiThird Party Advisory
-
https://github.com/guzzle/guzzle/commit/74a8602c6faec9ef74b7a9391ac82c5e65b1cdab
[7.x] Fix cross-domain cookie leakage (#3018) · guzzle/guzzle@74a8602 · GitHubPatch;Third Party Advisory
-
https://www.drupal.org/sa-core-2022-010
Access to this page has been denied.Patch;Third Party Advisory
Jump to