Ecosyste.ms: Advisories

An open API service providing security vulnerability metadata for many open source software ecosystems.

Security Advisories: GSA_kwCzR0hTQS1xN3J2LTZocDMtdmg5Ns01tQ

Improper Input Validation in guzzlehttp/psr7

Impact

Improper header parsing. An attacker could sneak in a carriage return character (\r) and pass untrusted values in both the header names and values.

Patches

The issue is patched in 1.8.4 and 2.1.1.

Workarounds

There are no known workarounds.

References

https://www.rfc-editor.org/rfc/rfc7230#section-3.2.4

Permalink: https://github.com/advisories/GHSA-q7rv-6hp3-vh96
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1xN3J2LTZocDMtdmg5Ns01tQ
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: about 2 years ago
Updated: 3 months ago

CVSS Score: 5.3
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

Identifiers: GHSA-q7rv-6hp3-vh96, CVE-2022-24775
References:

Repository: https://github.com/guzzle/psr7
Blast Radius: 29.4

Affected Packages

packagist:guzzlehttp/psr7

Dependent packages: 2,489
Dependent repositories: 357,073
Downloads: 668,958,208 total
Affected Version Ranges: >= 2.0.0, < 2.1.1, < 1.8.4
Fixed in: 2.1.1, 1.8.4
All affected versions: 1.0.0, 1.1.0, 1.2.0, 1.2.1, 1.2.2, 1.2.3, 1.3.0, 1.3.1, 1.4.0, 1.4.1, 1.4.2, 1.5.0, 1.5.1, 1.5.2, 1.6.0, 1.6.1, 1.7.0, 1.8.0, 1.8.1, 1.8.2, 1.8.3, 2.0.0, 2.1.0
All unaffected versions: 1.8.4, 1.8.5, 1.9.0, 1.9.1, 2.1.1, 2.1.2, 2.2.0, 2.2.1, 2.2.2, 2.3.0, 2.4.0, 2.4.1, 2.4.2, 2.4.3, 2.4.4, 2.4.5, 2.5.0, 2.5.1, 2.6.0, 2.6.1, 2.6.2