Improperly implemented security check for standard in guzzle - CVE-2022-31043
Published: June 10, 2022
Vulnerability identifier: #VU64189
CSH Severity: Low
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2022-31043
CWE-ID: CWE-358
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vendor: Guzzle
Affected software:
guzzle
guzzle
Detailed vulnerability description
The vulnerability allows a remote attacker to gain access to potentially sensitive information.
The vulnerability exists due to insecure implementation when handling HTTPS to HTTP redirects. The application includes the "Authorization" header into request if the target server responds with a redirect to a URI with the `http` scheme. As a result a remote attacker can obtain the authentication credentials and compromise the affected application.How to mitigate CVE-2022-31043
Install updates from vendor's website.