GHSA-m6ch-gg5f-wxx3

Source

https://github.com/advisories/GHSA-m6ch-gg5f-wxx3

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/04/GHSA-m6ch-gg5f-wxx3/GHSA-m6ch-gg5f-wxx3.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-m6ch-gg5f-wxx3

Aliases

CVE-2016-5385

Published

2022-04-07T13:59:22Z

Modified

2023-11-08T03:58:31.024570Z

Severity

8.1 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator

Summary

HTTP Proxy header vulnerability

Details

PHP through 7.0.8 does not attempt to address RFC 3875 section 4.1.18 namespace conflicts and therefore does not protect applications from the presence of untrusted client data in the HTTPPROXY environment variable, which might allow remote attackers to redirect an application's outbound HTTP traffic to an arbitrary proxy server via a crafted Proxy header in an HTTP request, as demonstrated by (1) an application that makes a getenv('HTTPPROXY') call or (2) a CGI configuration of PHP, aka an "httpoxy" issue.

References

Affected packages

Packagist / guzzlehttp/guzzle

Package

Name: guzzlehttp/guzzle
Purl: pkg:composer/guzzlehttp/guzzle

Affected ranges

Type: ECOSYSTEM
Events: Introduced

6

Fixed

6.2.1

Affected versions

6.*

6.0.0

6.0.1

6.0.2

6.1.0

6.1.1

6.2.0

Packagist / guzzlehttp/guzzle

Package

Name: guzzlehttp/guzzle
Purl: pkg:composer/guzzlehttp/guzzle

Affected ranges

Type: ECOSYSTEM
Events: Introduced

4.0.0-rc2

Fixed

4.2.4

Affected versions

4.*

4.0.0-rc.2

4.0.0

4.0.1

4.0.2

4.1.0

4.1.1

4.1.2

4.1.3

4.1.4

4.1.5

4.1.6

4.1.7

4.1.8

4.2.0

4.2.1

4.2.2

4.2.3

Packagist / guzzlehttp/guzzle

Package

Name: guzzlehttp/guzzle
Purl: pkg:composer/guzzlehttp/guzzle

Affected ranges

Type: ECOSYSTEM
Events: Introduced

5

Fixed

5.3.1

Affected versions

5.*

5.0.0

5.0.1

5.0.2

5.0.3

5.1.0

5.2.0

5.3.0

Packagist / drupal/core

Package

Name: drupal/core
Purl: pkg:composer/drupal/core

Affected ranges

Type: ECOSYSTEM
Events: Introduced

8.0

Fixed

8.1.7

Affected versions

8.*

8.0.0-beta6

8.0.0-beta7

8.0.0-beta8

8.0.0-beta9

8.0.0-beta10

8.0.0-beta11

8.0.0-beta12

8.0.0-beta13

8.0.0-beta14

8.0.0-beta15

8.0.0-beta16

8.0.0-rc1

8.0.0-rc2

8.0.0-rc3

8.0.0-rc4

8.0.0

8.0.1

8.0.2

8.0.3

8.0.4

8.0.5

8.0.6

8.1.0-beta1

8.1.0-beta2

8.1.0-rc1

8.1.0

8.1.1

8.1.2

8.1.3

8.1.4

8.1.5

8.1.6

Packagist / bugsnag/bugsnag-laravel

Package

Name: bugsnag/bugsnag-laravel
Purl: pkg:composer/bugsnag/bugsnag-laravel

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

2.0.2

Affected versions

v1.*

v1.0.0

v1.0.1

v1.0.2

v1.0.3

v1.0.4

v1.0.5

v1.0.6

v1.0.7

v1.0.8

v1.0.9

v1.0.10

v1.1.0

v1.1.1

v1.2.0

v1.2.1

v1.3.0

v1.4.0

v1.4.1

v1.4.2

v1.5.0

v1.5.1

v1.6.0

v1.6.1

v1.6.2

v1.6.3

v1.6.4

v1.7.0

v2.*

v2.0.0

v2.0.1

Packagist / amphp/artax

Package

Name: amphp/artax
Purl: pkg:composer/amphp/artax

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

1.0.4

Affected versions

v0.*

v0.1.0

v0.3.7

v0.4.0

v0.5.0

v0.5.1

v0.6.0

v0.6.1

v0.6.2

v0.7.0

v0.7.1

v1.*

v1.0.0-alpha

v1.0.0-beta

v1.0.0-beta2

v1.0.0-rc1

v1.0.0-rc2

v1.0.0-rc3

v1.0.0-rc4

v1.0.0-rc5

v1.0.0-rc6

v1.0.0

v1.0.1

v1.0.2

v1.0.3

Packagist / amphp/artax

Package

Name: amphp/artax
Purl: pkg:composer/amphp/artax

Affected ranges

Type: ECOSYSTEM
Events: Introduced

2.0.0

Fixed

2.0.4

Affected versions

v2.*

v2.0.0

v2.0.1

v2.0.3

2.*

2.0.2

Packagist / padraic/humbug_get_contents

Package

Name: padraic/humbug_get_contents
Purl: pkg:composer/padraic/humbug_get_contents

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

1.1.2

Affected versions

1.*

1.0.0

1.0.1

1.0.2

1.0.3

1.0.4

1.1.0

1.1.1