logo

Database

Lack of data validation In guzzlehttp/psr7

Description

Improper Input Validation in guzzlehttp/psr7

Impact

Improper header parsing. An attacker could sneak in a carriage return character (\r) and pass untrusted values in both the header names and values.

Patches

The issue is patched in 1.8.4 and 2.1.1.

Workarounds

There are no known workarounds.

References

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem
Package
Affected version
Patched versions

Aliases

1. CVE-2022-247752. NVD-2022-247753. OSV-2022-247754. OSV-DEBIAN-2022-247755. GHSA-q7rv-6hp3-vh966. GCVE-2022-247757. SECURITY-TRACKER-CVE-2022-247758. GHSA-q7rv-6hp3-vh96

References

1. https://github.com/guzzle/psr7/security/advisories/GHSA-q7rv-6hp3-vh962. https://github.com/guzzle/psr7/pull/485/commits/e55afaa3fc138c89adf3b55a8ba20dc60d17f1f13. https://github.com/guzzle/psr7/pull/486/commits/9a96d9db668b485361ed9de7b5bf1e54895df1dc4. https://github.com/FriendsOfPHP/security-advisories/blob/master/guzzlehttp/psr7/CVE-2022-24775.yaml5. https://www.drupal.org/sa-core-2022-0066. https://www.rfc-editor.org/rfc/rfc7230#section-3.2.4

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.