7.5

CVSS Score

3.1

Basic Information

CVE ID

CVE-2022-31042

GHSA ID

GHSA-f2wf-25xc-69c9

EPSS Score

0.58421%

CWE

CWE-200

Published

6/9/2022

Updated

7/24/2023

KEV Status

Technology

PHP

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2022-31042

CVE-2022-31042:
Failure to strip the Cookie header on change in host or HTTP downgrade

Impact

Cookie headers on requests are sensitive information. On making a request using the https scheme to a server which responds with a redirect to a URI with the http scheme, or on making a request to a server which responds with a redirect to a a URI to a different host, we should not forward the Cookie header on. Prior to this fix, only cookies that were managed by our cookie middleware would be safely removed, and any Cookie header manually added to the initial request would not be stripped. We now always strip it, and allow the cookie middleware to re-add any cookies that it deems should be there.

Patches

Affected Guzzle 7 users should upgrade to Guzzle 7.4.4 as soon as possible. Affected users using any earlier series of Guzzle should upgrade to Guzzle 6.5.7 or 7.4.4.

Workarounds

An alternative approach would be to use your own redirect middleware, rather than ours, if you are unable to upgrade. If you do not require or expect redirects to be followed, one should simply disable redirects all together.

References

RFC9110 Section 15.4

For more information

If you have any questions or comments about this advisory, please get in touch with us in #guzzle on the PHP HTTP Slack. Do not report additional security advisories in that public channel, however - please follow our vulnerability reporting process.

(GitHub Advisory)

7.5

CVSS Score

3.1

Basic Information

CVE ID

CVE-2022-31042

GHSA ID

GHSA-f2wf-25xc-69c9

EPSS Score

0.58421%

CWE

CWE-200

Published

6/9/2022

Updated

7/24/2023

KEV Status

Technology

PHP

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
guzzlehttp/guzzle	composer	>= 7.0.0, < 7.4.4	7.4.4
guzzlehttp/guzzle	composer	>= 4.0.0, < 6.5.7	6.5.7

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stemmed from improper handling of manually added Cookie headers during redirects. The key changes in the fix:- 1) Introduction of shouldStripSensitiveHeaders static method to check host/scheme changes 2) Modified modifyRequest to remove both Authorization and Cookie headers based on this check 3) Made redirectUri static. The original vulnerability existed because the Cookie header wasn't being stripped in redirects to different hosts or HTTP downgrades, which was addressed by adding the sensitive header stripping logic.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

### Imp**t `*ooki*` *****rs on r*qu*sts *r* s*nsitiv* in*orm*tion. On m*kin* * r*qu*st usin* t** `*ttps` s***m* to * s*rv*r w*i** r*spon*s wit* * r**ir**t to * URI wit* t** `*ttp` s***m*, or on m*kin* * r*qu*st to * s*rv*r w*i** r*spon*s wit* * r**i

Reasoning

T** vuln*r**ility st*mm** *rom improp*r **n*lin* o* m*nu*lly ***** *ooki* *****rs *urin* r**ir**ts. T** k*y ***n**s in t** *ix:- *) Intro*u*tion o* `s*oul*StripS*nsitiv******rs` st*ti* m*t*o* to ****k `*ost/s***m*` ***n**s *) Mo*i*i** `mo*i*yR*qu*st`

7.5

Basic Information

Concerned about an active attack path?

CVE-2022-31042: Failure to strip the Cookie header on change in host or HTTP downgrade

Impact

Patches

Workarounds

References

For more information

7.5

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

CVE-2022-31042:
Failure to strip the Cookie header on change in host or HTTP downgrade

Vulnerability Intelligence
Miggo AI