Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS13M3c5LXZyZjUtOG14OM4AAu1p
ReactPHP's HTTP server parses encoded cookie names so malicious `__Host-` and `__Secure-` cookies can be sent
Impact
In ReactPHP's HTTP server component versions below v1.7.0, when ReactPHP is processing incoming HTTP cookie values, the cookie names are url-decoded. This may lead to cookies with prefixes like __Host- and __Secure- confused with cookies that decode to such prefix, thus leading to an attacker being able to forge cookie which is supposed to be secure. See also CVE-2020-7070 and CVE-2020-8184 for more information.
Patches
- https://github.com/reactphp/http/commit/663c9a3b77b71463fa7fcb76a6676ffd16979dd6 - Fixed in reactphp/http
v1.7.0
Workarounds
Infrastructure or DevOps can place a reverse proxy in front of the ReactPHP HTTP server to filter out any unexpected Cookie request headers.
References
- CVE-2020-7070, https://bugs.php.net/bug.php?id=79699 and https://github.com/php/php-src/commit/6559fe912661ca5ce5f0eeeb591d928451428ed0
- CVE-2020-8184, https://hackerone.com/reports/895727 and https://github.com/rack/rack/commit/1f5763de6a9fe515ff84992b343d63c88104654c
- Originally introduced via https://github.com/reactphp/http/pull/175
Credits
- Thanks to Marco Squarcina (TU Wien) for reporting this and working with us to coordinate this security advisory
For more information
If you have any questions or comments about this advisory:
- Join the discussion
- Email us at [email protected]
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS13M3c5LXZyZjUtOG14OM4AAu1p
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: over 1 year ago
Updated: over 1 year ago
CVSS Score: 5.3
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Identifiers: GHSA-w3w9-vrf5-8mx8, CVE-2022-36032
References:
- https://github.com/reactphp/http/security/advisories/GHSA-w3w9-vrf5-8mx8
- https://nvd.nist.gov/vuln/detail/CVE-2022-36032
- https://github.com/reactphp/http/pull/175
- https://github.com/reactphp/http/commit/663c9a3b77b71463fa7fcb76a6676ffd16979dd6
- https://github.com/reactphp/http/releases/tag/v1.7.0
- https://github.com/FriendsOfPHP/security-advisories/blob/master/react/http/CVE-2022-36032.yaml
- https://github.com/advisories/GHSA-w3w9-vrf5-8mx8
Blast Radius: 17.5
Affected Packages
packagist:react/http
Dependent packages: 356Dependent repositories: 2,046
Downloads: 15,430,168 total
Affected Version Ranges: >= 0.7.0, < 1.7.0
Fixed in: 1.7.0
All affected versions: 0.7.0, 0.7.1, 0.7.2, 0.7.3, 0.7.4, 0.8.0, 0.8.1, 0.8.2, 0.8.3, 0.8.4, 0.8.5, 0.8.6, 0.8.7, 1.0.0, 1.1.0, 1.2.0, 1.3.0, 1.4.0, 1.5.0, 1.6.0
All unaffected versions: 0.1.0, 0.1.1, 0.2.0, 0.2.1, 0.2.2, 0.2.3, 0.2.6, 0.3.0, 0.4.0, 0.4.1, 0.4.2, 0.4.3, 0.4.4, 0.5.0, 0.6.0, 1.7.0, 1.8.0, 1.9.0, 1.10.0