Ecosyste.ms: Advisories

Security Advisories: GSA_kwCzR0hTQS13eG1oLTY1ZjctamN2d84AAy3w

Improper header name validation in guzzlehttp/psr7

Impact

Improper header parsing. An attacker could sneak in a newline (\n) into both the header names and values. While the specification states that \r\n\r\n is used to terminate the header list, many servers in the wild will also accept \n\n.

Patches

The issue is patched in 1.9.1 and 2.4.5.

Workarounds

There are no known workarounds.

References

• https://www.rfc-editor.org/rfc/rfc7230#section-3.2.4

Permalink: https://github.com/advisories/GHSA-wxmh-65f7-jcvw
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS13eG1oLTY1ZjctamN2d84AAy3w
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: about 1 year ago
Updated: 4 months ago

CVSS Score: 5.3
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

Identifiers: GHSA-wxmh-65f7-jcvw, CVE-2023-29197
References:

• https://github.com/guzzle/psr7/security/advisories/GHSA-q7rv-6hp3-vh96
• https://github.com/guzzle/psr7/security/advisories/GHSA-wxmh-65f7-jcvw
• https://nvd.nist.gov/vuln/detail/CVE-2023-29197
• https://www.rfc-editor.org/rfc/rfc7230#section-3.2.4
• https://github.com/FriendsOfPHP/security-advisories/blob/master/guzzlehttp/psr7/CVE-2023-29197.yaml
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=2022-24775
• https://lists.fedoraproject.org/archives/list/[email protected]/message/O35UN4IK6VS2LXSRWUDFWY7NI73RKY2U/
• https://lists.fedoraproject.org/archives/list/[email protected]/message/FJANWDXJZE5BGLN4MQ4FEHV5LJ6CMKQF/
• https://lists.debian.org/debian-lts-announce/2023/12/msg00028.html
• https://github.com/advisories/GHSA-wxmh-65f7-jcvw

Repository: https://github.com/guzzle/psr7
Blast Radius: 29.4

Affected Packages