GHSA-8jp9-mpv9-98rj

Source

https://github.com/advisories/GHSA-8jp9-mpv9-98rj

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/05/GHSA-8jp9-mpv9-98rj/GHSA-8jp9-mpv9-98rj.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-8jp9-mpv9-98rj

Published

2024-05-15T17:48:10Z

Modified

2024-11-29T05:28:21.613229Z

Severity

4.0 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:L/A:N CVSS Calculator

Summary

amphp/http-client Header leakage on cross-domain redirects

Details

amphp/http-client has a security weakness that might leak sensitive request headers from the initial request to the redirected host on cross-domain redirects, which were not removed correctly. Message::setHeaders does not replace the entire set of headers, but only operates on the headers matching the given array keys.

Database specific

{
    "nvd_published_at": null,
    "cwe_ids": [],
    "severity": "MODERATE",
    "github_reviewed": true,
    "github_reviewed_at": "2024-05-15T17:48:10Z"
}

References

Affected packages

Packagist / amphp/http-client

Package

Name: amphp/http-client
Purl: pkg:composer/amphp/http-client

Affected ranges

Type: ECOSYSTEM
Events: Introduced

4.0.0

Fixed

4.4.0

Affected versions

v4.*

v4.0.0

v4.1.0-rc1

v4.1.0

v4.2.0

v4.2.1

v4.2.2

v4.3.0

v4.3.1