Miggo Logo

CVE-2022-29248: Cross-domain cookie leakage in Guzzle

8

CVSS Score
3.1

Basic Information

EPSS Score
0.5971%
Published
5/25/2022
Updated
2/5/2024
KEV Status
No
Technology
TechnologyPHP

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
guzzlehttp/guzzlecomposer< 6.5.66.5.6
guzzlehttp/guzzlecomposer>= 7.0.0, < 7.4.37.4.3

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from two key flaws:

  1. In CookieJar::extractCookies, there was no domain validation check before adding cookies to the jar (evidenced by the added 'matchesDomain' check in the patch).
  2. SetCookie::matchesDomain used strcasecmp without proper domain normalization (fixed by strtolower conversions), allowing case-based bypasses and subdomain mismatches. The commit directly modifies these functions to add domain validation and case normalization, confirming their role in the vulnerability.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

### Imp**t Pr*vious v*rsion o* *uzzl* *ont*in * vuln*r**ility wit* t** *ooki* mi**l*w*r*. T** vuln*r**ility is t**t it is not ****k** i* t** *ooki* *om*in *qu*ls t** *om*in o* t** s*rv*r w*i** s*ts t** *ooki* vi* t** `S*t-*ooki*` *****r, *llowin* *

Reasoning

T** vuln*r**ility st*ms *rom two k*y *l*ws: *. In *ooki*J*r::*xtr**t*ooki*s, t**r* w*s no *om*in v*li**tion ****k ***or* ***in* *ooki*s to t** j*r (*vi**n*** *y t** ***** 'm*t***s*om*in' ****k in t** p*t**). *. S*t*ooki*::m*t***s*om*in us** str**s**m