CVE-2022-29248

See a problem?
Please try reporting it to the source first.

Source

https://nvd.nist.gov/vuln/detail/CVE-2022-29248

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2022-29248.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2022-29248

Aliases

Related

Published

2022-05-25T18:15:08Z

Modified

2024-09-18T03:18:41.522216Z

Severity

8.1 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N CVSS Calculator

Summary

[none]

Details

Guzzle is a PHP HTTP client. Guzzle prior to versions 6.5.6 and 7.4.3 contains a vulnerability with the cookie middleware. The vulnerability is that it is not checked if the cookie domain equals the domain of the server which sets the cookie via the Set-Cookie header, allowing a malicious server to set cookies for unrelated domains. The cookie middleware is disabled by default, so most library consumers will not be affected by this issue. Only those who manually add the cookie middleware to the handler stack or construct the client with ['cookies' => true] are affected. Moreover, those who do not use the same Guzzle client to call multiple domains and have disabled redirect forwarding are not affected by this vulnerability. Guzzle versions 6.5.6 and 7.4.3 contain a patch for this issue. As a workaround, turn off the cookie middleware.

References

Affected packages

Debian:12 / guzzle

Package

Name: guzzle
Purl: pkg:deb/debian/guzzle?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

7.4.4-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Debian:13 / guzzle

Package

Name: guzzle
Purl: pkg:deb/debian/guzzle?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

7.4.4-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Debian:11 / mediawiki

Package

Name: mediawiki
Purl: pkg:deb/debian/mediawiki?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

1:1.35.8-1~deb11u1

Affected versions

1:1.*

1:1.35.2-1

1:1.35.3-1

1:1.35.4-1~deb11u1

1:1.35.4-1

1:1.35.4-1+deb11u2

1:1.35.5-1

1:1.35.5-2

1:1.35.6-1

1:1.35.7-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Debian:12 / mediawiki

Package

Name: mediawiki
Purl: pkg:deb/debian/mediawiki?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

1:1.35.7-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Debian:13 / mediawiki

Package

Name: mediawiki
Purl: pkg:deb/debian/mediawiki?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

1:1.35.7-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Git / github.com/drupal/drupal

Affected ranges

Type: GIT
Repo: https://github.com/drupal/drupal
Events: Introduced

943ecef3c0bc9822338252a7df6419aeb9253c9d

Fixed

dddf4bdf8dd5c61d021bf88d42db73c7ccb59a60

Type: GIT
Repo: https://github.com/guzzle/guzzle
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Fixed

74a8602c6faec9ef74b7a9391ac82c5e65b1cdab

Affected versions

4.*

4.0.0

4.0.0-rc.1

4.0.0-rc.2

4.0.1

4.0.2

4.1.0

4.1.1

4.1.2

4.1.3

4.1.4

4.1.5

4.1.6

4.1.7

4.1.8

4.2.0

4.2.1

4.2.2

4.2.3

5.*

5.0.0

5.0.1

5.0.2

5.0.3

5.1.0

5.2.0

5.3.0

6.*

6.0.0

6.0.1

6.0.2

6.1.0

6.1.1

6.2.0

6.2.1

6.2.2

6.2.3

6.3.0

6.3.1

6.3.2

6.3.3

6.4.0

6.4.1

6.5.0

6.5.1

6.5.2

6.5.3

7.*

7.0.0

7.0.0-beta.1

7.0.0-beta.2

7.0.0-rc.1

7.0.1

7.1.0

7.1.1

7.2.0

7.3.0

7.4.0

7.4.1

7.4.2

9.*

9.2.0

9.2.1

9.2.10

9.2.11

9.2.12

9.2.13

9.2.14

9.2.15

9.2.16

9.2.17

9.2.18

9.2.19

9.2.2

9.2.3

9.2.4

9.2.5

9.2.6

9.2.7

9.2.8

9.2.9

v1.*

v1.0.0

v1.0.0beta1

v1.0.1

v1.0.2

v1.0.3

v1.0.4

v2.*

v2.0.0

v2.0.1

v2.0.2

v2.0.3

v2.0.4

v2.0.5

v2.1.0

v2.1.1

v2.1.2

v2.1.3

v2.1.4

v2.2.0

v2.2.1

v2.2.2

v2.2.3

v2.2.4

v2.3.0

v2.3.1

v2.3.2

v2.4.0

v2.4.1

v2.5.0

v2.6.0

v2.6.1

v2.6.2

v2.6.3

v2.6.4

v2.6.5

v2.6.6

v2.7.0

v2.7.1

v2.7.2

v2.8.0

v2.8.1

v2.8.2

v2.8.3

v2.8.4

v2.8.5

v2.8.6

v2.8.7

v2.8.8

v3.*

v3.0.0

v3.0.1

v3.0.2

v3.0.3

v3.0.4

v3.0.5

v3.0.6

v3.0.7

v3.1.0

v3.1.1

v3.1.2

v3.2.0

v3.3.0

v3.3.1

v3.4.0

v3.4.1

v3.4.2

v3.4.3

v3.5.0

v3.6.0

v3.7.0

v3.7.1

v3.7.2

v3.7.3

v3.7.4

v3.8.0

v3.8.1