Skip to content

guzzlehttp/command-0.7.1: 2 vulnerabilities (highest severity is: 8.1) #2

New issue
New issue
Open
Open
guzzlehttp/command-0.7.1: 2 vulnerabilities (highest severity is: 8.1)#2
Labels
Mend: dependency security vulnerabilitySecurity vulnerability detected by Mend
@mend-for-github-com

Description

@mend-for-github-com
mend-for-github-com
bot
opened on Jun 2, 2022
Vulnerable Library - guzzlehttp/command-0.7.1

Found in HEAD commit: 39dbe5aff08e4f04412a5938451250b3845c4dff

Vulnerabilities

Vulnerability Severity CVSS Exploit Maturity EPSS Dependency Type Fixed in (guzzlehttp/command version) Remediation Possible** Reachability
CVE-2016-5385 High 8.1 Not Defined 83.0% guzzlehttp/guzzle-5.3.x-dev Transitive N/A*
CVE-2022-29248 High 8.0 Not Defined 0.6% guzzlehttp/guzzle-5.3.x-dev Transitive N/A*

*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.

**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation

Details

CVE-2016-5385

Vulnerable Library - guzzlehttp/guzzle-5.3.x-dev

Guzzle is a PHP HTTP client library and framework for building RESTful web service clients

Library home page: https://api.github.com/repos/guzzle/guzzle/zipball/d59d5293b4a804d6436d64fec71a8c75110a3165

Dependency Hierarchy:

  • guzzlehttp/command-0.7.1 (Root Library)
    • guzzlehttp/guzzle-5.3.x-dev (Vulnerable Library)

Found in HEAD commit: 39dbe5aff08e4f04412a5938451250b3845c4dff

Found in base branch: main

Vulnerability Details

PHP through 7.0.8 does not attempt to address RFC 3875 section 4.1.18 namespace conflicts and therefore does not protect applications from the presence of untrusted client data in the HTTP_PROXY environment variable, which might allow remote attackers to redirect an application's outbound HTTP traffic to an arbitrary proxy server via a crafted Proxy header in an HTTP request, as demonstrated by (1) an application that makes a getenv('HTTP_PROXY') call or (2) a CGI configuration of PHP, aka an "httpoxy" issue.

Publish Date: 2016-07-19

URL: CVE-2016-5385

Threat Assessment

Exploit Maturity: Not Defined

EPSS: 83.0%

CVSS 3 Score Details (8.1)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: High
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

CVE-2022-29248

Vulnerable Library - guzzlehttp/guzzle-5.3.x-dev

Guzzle is a PHP HTTP client library and framework for building RESTful web service clients

Library home page: https://api.github.com/repos/guzzle/guzzle/zipball/d59d5293b4a804d6436d64fec71a8c75110a3165

Dependency Hierarchy:

  • guzzlehttp/command-0.7.1 (Root Library)
    • guzzlehttp/guzzle-5.3.x-dev (Vulnerable Library)

Found in HEAD commit: 39dbe5aff08e4f04412a5938451250b3845c4dff

Found in base branch: main

Vulnerability Details

Guzzle is a PHP HTTP client. Guzzle prior to versions 6.5.6 and 7.4.3 contains a vulnerability with the cookie middleware. The vulnerability is that it is not checked if the cookie domain equals the domain of the server which sets the cookie via the Set-Cookie header, allowing a malicious server to set cookies for unrelated domains. The cookie middleware is disabled by default, so most library consumers will not be affected by this issue. Only those who manually add the cookie middleware to the handler stack or construct the client with ['cookies' => true] are affected. Moreover, those who do not use the same Guzzle client to call multiple domains and have disabled redirect forwarding are not affected by this vulnerability. Guzzle versions 6.5.6 and 7.4.3 contain a patch for this issue. As a workaround, turn off the cookie middleware.

Publish Date: 2022-05-25

URL: CVE-2022-29248

Threat Assessment

Exploit Maturity: Not Defined

EPSS: 0.6%

CVSS 3 Score Details (8.0)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: High
    • Privileges Required: None
    • User Interaction: Required
    • Scope: Changed
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-29248

Release Date: 2022-05-25

Fix Resolution: guzzlehttp/guzzle - 6.5.6,guzzlehttp/guzzle - 7.4.3

Metadata

Metadata

Assignees

No one assigned

    Labels

    Mend: dependency security vulnerabilitySecurity vulnerability detected by Mend

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions