Lucene search

[email protected]CVE-2023-29197

HistoryApr 17, 2023 - 10:15 p.m.

CVE-2023-29197

2023-04-1722:15:09

CWE-436

[email protected]

web.nvd.nist.gov

guzzlehttp

psr7

php

library

cve-2023-29197

security

vulnerability

header parsing

patch

upgrade

7.5 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

7.1 High

AI Score

Confidence

High

0.003 Low

EPSS

Percentile

65.6%

JSON

guzzlehttp/psr7 is a PSR-7 HTTP message library implementation in PHP. Affected versions are subject to improper header parsing. An attacker could sneak in a newline (\n) into both the header names and values. While the specification states that \r\n\r\n is used to terminate the header list, many servers in the wild will also accept \n\n. This is a follow-up to CVE-2022-24775 where the fix was incomplete. The issue has been patched in versions 1.9.1 and 2.4.5. There are no known workarounds for this vulnerability. Users are advised to upgrade.

Affected configurations

Vulners

NVD

Node

guzzlepsr7Range<1.9.1

guzzlepsr7Range2.0.0–2.4.5

CPENameOperatorVersion
guzzlephp:psr-7guzzlephp psr-7lt1.9.1
guzzlephp:psr-7guzzlephp psr-7lt2.4.5

CPE	Name	Operator	Version
guzzlephp:psr-7	guzzlephp psr-7	lt	1.9.1
guzzlephp:psr-7	guzzlephp psr-7	lt	2.4.5

CNA Affected

[
  {
    "vendor": "guzzle",
    "product": "psr7",
    "versions": [
      {
        "version": "< 1.9.1",
        "status": "affected"
      },
      {
        "version": ">= 2.0.0, < 2.4.5",
        "status": "affected"
      }
    ]
  }
]