search

Vonage-Community / sample-video-php-learning_server

Apache License 2.0
0 stars 0 forks source link

guzzlehttp/guzzle-7.4.2: 1 vulnerabilities (highest severity is: 8.1) - autoclosed #2

Closed mend-for-github-com[bot] closed 1 year ago

mend-for-github-com[bot] commented 2 years ago
Vulnerable Library - guzzlehttp/guzzle-7.4.2

Guzzle is a PHP HTTP client library

Library home page: https://api.github.com/repos/guzzle/guzzle/zipball/ac1ec1cd9b5624694c3a40be801d94137afb12b4

Found in HEAD commit: 5e604e14be6057c453f7254312b6a09419311477

Vulnerabilities

CVE Severity CVSS Dependency Type Fixed in (guzzlehttp/guzzle version) Remediation Available
CVE-2022-29248 High 8.1 guzzlehttp/guzzle-7.4.2 Direct guzzlehttp/guzzle - 6.5.6,guzzlehttp/guzzle - 7.4.3

Details

CVE-2022-29248 ### Vulnerable Library - guzzlehttp/guzzle-7.4.2

Guzzle is a PHP HTTP client library

Library home page: https://api.github.com/repos/guzzle/guzzle/zipball/ac1ec1cd9b5624694c3a40be801d94137afb12b4

Dependency Hierarchy: - :x: **guzzlehttp/guzzle-7.4.2** (Vulnerable Library)

Found in HEAD commit: 5e604e14be6057c453f7254312b6a09419311477

Found in base branch: video-integration

### Vulnerability Details

Guzzle is a PHP HTTP client. Guzzle prior to versions 6.5.6 and 7.4.3 contains a vulnerability with the cookie middleware. The vulnerability is that it is not checked if the cookie domain equals the domain of the server which sets the cookie via the Set-Cookie header, allowing a malicious server to set cookies for unrelated domains. The cookie middleware is disabled by default, so most library consumers will not be affected by this issue. Only those who manually add the cookie middleware to the handler stack or construct the client with ['cookies' => true] are affected. Moreover, those who do not use the same Guzzle client to call multiple domains and have disabled redirect forwarding are not affected by this vulnerability. Guzzle versions 6.5.6 and 7.4.3 contain a patch for this issue. As a workaround, turn off the cookie middleware.

Publish Date: 2022-05-25

URL: CVE-2022-29248

### CVSS 3 Score Details (8.1)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: Required - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: None

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-29248

Release Date: 2022-05-25

Fix Resolution: guzzlehttp/guzzle - 6.5.6,guzzlehttp/guzzle - 7.4.3

mend-for-github-com[bot] commented 1 year ago

:heavy_check_mark: This issue was automatically closed by Mend because the vulnerable library in the specific branch(es) was either marked as ignored or it is no longer part of the Mend inventory.