SB2022061019 - Drupal update for Guzzle

CSH
CYBERSECURITY HELP
Sign In REGISTER

Main Vulnerability Database SB2022061019

SB2022061019 - Drupal update for Guzzle

Published: June 10, 2022

Security Bulletin ID SB2022061019
Severity
Low
Patch available
YES
Number of vulnerabilities 2
Exploitation vector Remote access
Highest impact Information disclosure

Breakdown by Severity

Low 100%
  • Low
  • Medium
  • High
  • Critical

Description

This security bulletin contains information about 2 secuirty vulnerabilities.


1) Improperly implemented security check for standard (CVE-ID: CVE-2022-31042)

The vulnerability allows a remote attacker to gain access to potentially sensitive information.

The vulnerability exists due to insecure implementation when handling HTTPS to HTTP redirects. The application includes "Cookie" header into request if the target server responds with a redirect to a URI with the `http` scheme, or on making a request to a server which responds with a redirect to a a URI to a different host. As a result a remote attacker can obtain the authentication cookie and compromise the affected application.


2) Improperly implemented security check for standard (CVE-ID: CVE-2022-31043)

The vulnerability allows a remote attacker to gain access to potentially sensitive information.

The vulnerability exists due to insecure implementation when handling HTTPS to HTTP redirects. The application includes the "Authorization" header into request if the target server responds with a redirect to a URI with the `http` scheme. As a result a remote attacker can obtain the authentication credentials and compromise the affected application.

Remediation

Install update from vendor's website.

References