#VU64189 Improperly implemented security check for standard in guzzle - CVE-2022-31043

Vulnerability identifier: #VU64189

Vulnerability risk: Low

CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear

CVE-ID: CVE-2022-31043

CWE-ID: CWE-358

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vulnerable software:
guzzle

Software vendor:
Guzzle

The vulnerability allows a remote attacker to gain access to potentially sensitive information.

The vulnerability exists due to insecure implementation when handling HTTPS to HTTP redirects. The application includes the "Authorization" header into request if the target server responds with a redirect to a URI with the `http` scheme. As a result a remote attacker can obtain the authentication credentials and compromise the affected application.

Install updates from vendor's website.

• https://github.com/guzzle/guzzle/security/advisories/GHSA-w248-ffj2-4v5q
• https://github.com/guzzle/guzzle/commit/e3ff079b22820c2029d4c2a87796b6a0b8716ad8