GitHub Advisory DatabaseGHSA-WXMH-65F7-JCVWImproper header name validation in guzzlehttp/psr7
7.5 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
HIGH
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
0.003 Low
EPSS
Percentile
65.5%
Impact
Improper header parsing. An attacker could sneak in a newline (\n) into both the header names and values. While the specification states that \r\n\r\n is used to terminate the header list, many servers in the wild will also accept \n\n.
Patches
The issue is patched in 1.9.1 and 2.4.5.
Workarounds
There are no known workarounds.
References
Affected configurations
| CPE | Name | Operator | Version |
|---|---|---|---|
| guzzlehttp/psr7 | lt | 2.4.5 | |
| guzzlehttp/psr7 | lt | 1.9.1 |
References
cve.mitre.org/cgi-bin/cvename.cgi?name=2022-24775
github.com/advisories/GHSA-wxmh-65f7-jcvw
github.com/FriendsOfPHP/security-advisories/blob/master/guzzlehttp/psr7/CVE-2023-29197.yaml
github.com/guzzle/psr7/security/advisories/GHSA-q7rv-6hp3-vh96
github.com/guzzle/psr7/security/advisories/GHSA-wxmh-65f7-jcvw
lists.debian.org/debian-lts-announce/2023/12/msg00028.html
lists.fedoraproject.org/archives/list/[email protected]/message/FJANWDXJZE5BGLN4MQ4FEHV5LJ6CMKQF/
lists.fedoraproject.org/archives/list/[email protected]/message/O35UN4IK6VS2LXSRWUDFWY7NI73RKY2U/
nvd.nist.gov/vuln/detail/CVE-2023-29197
www.rfc-editor.org/rfc/rfc7230#section-3.2.4
Related
7.5 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
HIGH
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
0.003 Low
EPSS
Percentile
65.5%