CVE-2022-29248: Cross-domain cookie leakage in Guzzle
8
CVSS Score
3.1
Basic Information
CVE ID
GHSA ID
EPSS Score
0.5971%
CWE
Published
5/25/2022
Updated
2/5/2024
KEV Status
No
Technology
PHP
Technical Details
CVSS Vector
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:N
Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
---|---|---|---|
guzzlehttp/guzzle | composer | < 6.5.6 | 6.5.6 |
guzzlehttp/guzzle | composer | >= 7.0.0, < 7.4.3 | 7.4.3 |
Vulnerability Intelligence
Miggo AI
Root Cause Analysis
The vulnerability stems from two key flaws:
- In CookieJar::extractCookies, there was no domain validation check before adding cookies to the jar (evidenced by the added 'matchesDomain' check in the patch).
- SetCookie::matchesDomain used strcasecmp without proper domain normalization (fixed by strtolower conversions), allowing case-based bypasses and subdomain mismatches. The commit directly modifies these functions to add domain validation and case normalization, confirming their role in the vulnerability.