7.7

CVSS Score

3.1

Basic Information

CVE ID

CVE-2022-31090

GHSA ID

GHSA-25mq-v84q-4j7r

EPSS Score

0.87491%

CWE

CWE-200

Published

6/21/2022

Updated

7/24/2023

KEV Status

Technology

PHP

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2022-31090

CVE-2022-31090: CURLOPT_HTTPAUTH option not cleared on change of origin

Impact

Authorization headers on requests are sensitive information. When using our Curl handler, it is possible to use the CURLOPT_HTTPAUTH option to specify an Authorization header. On making a request which responds with a redirect to a URI with a different origin, if we choose to follow it, we should remove the CURLOPT_HTTPAUTH and CURLOPT_USERPWD options before continuing, stopping curl from appending the Authorization header to the new request. Previously, we would only consider a change in host. Now, we consider any change in host, port or scheme to be a change in origin.

Patches

Affected Guzzle 7 users should upgrade to Guzzle 7.4.5 as soon as possible. Affected users using any earlier series of Guzzle should upgrade to Guzzle 6.5.8 or 7.4.5. Note that a partial fix was implemented in Guzzle 7.4.2, where a change in host would trigger removal of the curl-added Authorization header, however this earlier fix did not cover change in scheme or change in port.

Workarounds

If you do not require or expect redirects to be followed, one should simply disable redirects all together. Alternatively, one can specify to use the Guzzle stream handler backend, rather than curl.

References

For more information

If you have any questions or comments about this advisory, please get in touch with us in #guzzle on the PHP HTTP Slack. Do not report additional security advisories in that public channel, however - please follow our vulnerability reporting process.

(GitHub Advisory)

7.7

CVSS Score

3.1

Basic Information

CVE ID

CVE-2022-31090

GHSA ID

GHSA-25mq-v84q-4j7r

EPSS Score

0.87491%

CWE

CWE-200

Published

6/21/2022

Updated

7/24/2023

KEV Status

Technology

PHP

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
guzzlehttp/guzzle	composer	< 6.5.8	6.5.8
guzzlehttp/guzzle	composer	>= 7.0.0, < 7.4.5	7.4.5

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stemmed from incomplete origin validation when handling redirects. The commit shows the check for CURLOPT_HTTPAUTH removal was originally based solely on host comparison (request->getUri()->getHost() !== nextRequest->getUri()->getHost()). The shouldStripSensitiveHeaders method only checked host mismatch and HTTP->HTTPS downgrades, missing port changes. These functions failed to properly clear authentication options when redirecting to different ports or schemes, allowing credentials to leak. The fix replaced these checks with Psr7\UriComparator::isCrossOrigin which properly validates host, port, and scheme changes.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

### Imp**t `*ut*oriz*tion` *****rs on r*qu*sts *r* s*nsitiv* in*orm*tion. W**n usin* our *url **n*l*r, it is possi*l* to us* t** `*URLOPT_*TTP*UT*` option to sp**i*y *n `*ut*oriz*tion` *****r. On m*kin* * r*qu*st w*i** r*spon*s wit* * r**ir**t to *

Reasoning

T** vuln*r**ility st*mm** *rom in*ompl*t* ori*in v*li**tion w**n **n*lin* r**ir**ts. T** *ommit s*ows t** ****k *or `*URLOPT_*TTP*UT*` r*mov*l w*s ori*in*lly **s** sol*ly on *ost *omp*rison (`r*qu*st->**tUri()->**t*ost()` !== `n*xtR*qu*st->**tUri()->

7.7

Basic Information

Concerned about an active attack path?

CVE-2022-31090: CURLOPT_HTTPAUTH option not cleared on change of origin

Impact

Patches

Workarounds

References

For more information

7.7

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI