2256058 – (CVE-2022-24775) CVE-2022-24775 php-guzzlehttp-psr7: improper header parsing in php-guzzlehttp-psr7

Bug 2256058 (CVE-2022-24775) - CVE-2022-24775 php-guzzlehttp-psr7: improper header parsing in php-guzzlehttp-psr7

Summary: CVE-2022-24775 php-guzzlehttp-psr7: improper header parsing in php-guzzlehttp...

Keywords:
Status:	NEW
Alias:	CVE-2022-24775
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	high
Severity:	high
Target Milestone:	---
Assignee:	Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	2256060 2256059
Blocks:
TreeView+	depends on / blocked

Reported:	2023-12-28 05:35 UTC by Rohit Keshri
Modified:	2023-12-28 05:36 UTC (History)
CC List:	0 users
Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)

Description Rohit Keshri 2023-12-28 05:35:03 UTC

guzzlehttp/psr7 is a PSR-7 HTTP message library. Versions prior to 1.8.4 and 2.1.1 are vulnerable to improper header parsing. An attacker could sneak in a new line character and pass untrusted values. The issue is patched in 1.8.4 and 2.1.1. There are currently no known workarounds.

https://github.com/guzzle/psr7/security/advisories/GHSA-q7rv-6hp3-vh96
https://github.com/guzzle/psr7/pull/485/commits/e55afaa3fc138c89adf3b55a8ba20dc60d17f1f1
https://github.com/guzzle/psr7/pull/486/commits/9a96d9db668b485361ed9de7b5bf1e54895df1dc
https://www.drupal.org/sa-core-2022-006

Comment 1 Rohit Keshri 2023-12-28 05:36:04 UTC

Created php-guzzlehttp-psr7 tracking bugs for this issue:

Affects: epel-all [bug 2256060]
Affects: fedora-all [bug 2256059]

Note You need to log in before you can comment on or make changes to this bug.