guzzlehttp/psr7 is a PSR-7 HTTP message library implementation in PHP. Affected versions are subject to improper header parsing. An attacker could sneak in a newline (\n) into both the header names and values. While the specification states that \r\n\r\n is used to terminate the header list, many servers in the wild will also accept \n\n. This is a follow-up to CVE-2022-24775 where the fix was incomplete. The issue has been patched in versions 1.9.1 and 2.4.5. There are no known workarounds for this vulnerability. Users are advised to upgrade.
References
Link | Resource |
---|---|
https://cve.mitre.org/cgi-bin/cvename.cgi?name=2022-24775 | Not Applicable |
https://github.com/guzzle/psr7/security/advisories/GHSA-q7rv-6hp3-vh96 | Not Applicable |
https://github.com/guzzle/psr7/security/advisories/GHSA-wxmh-65f7-jcvw | Vendor Advisory |
https://lists.debian.org/debian-lts-announce/2023/12/msg00028.html | |
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/FJANWDXJZE5BGLN4MQ4FEHV5LJ6CMKQF/ | Mailing List Third Party Advisory |
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/O35UN4IK6VS2LXSRWUDFWY7NI73RKY2U/ | Mailing List Third Party Advisory |
https://www.rfc-editor.org/rfc/rfc7230#section-3.2.4 | Technical Description |
History
No history.
MITRE Information
Status: PUBLISHED
Assigner: GitHub_M
Published: 2023-04-17T21:08:46.675Z
Updated: 2023-04-17T21:08:46.675Z
Reserved: 2023-04-03T13:37:18.453Z
Link: CVE-2023-29197
JSON object: View
NVD Information
Status : Modified
Published: 2023-04-17T22:15:09.947
Modified: 2024-01-01T01:15:20.317
Link: CVE-2023-29197
JSON object: View
Redhat Information
No data.
CWE