Cyber Security

Patch released for cross-domain cookie leakage flaw in Guzzle

The maintainers of Guzzle, the popular HTTP client for PHP applications, have addressed a high severity vulnerability leading to cross-domain cookie leakage.

Drupal, the open source content management system (CMS), is among the applications that use the third-party library and has released software updates addressing the issue.

The flaw resides in Guzzle’s cookie middleware, which is disabled by default, “so most library consumers will not be affected by this issue”, reads a GitHub security advisory published by a Guzzle maintainer on Wednesday (May 25).

The cookies crumble

Tracked as CVE-2022-29248, the bug centers on a failure to check if the cookie domain equals the domain of the server which sets the cookie via the Set-Cookie header. This would allow “a malicious server to set cookies for unrelated domains”, continues the advisory.

“For example, an attacker at www.example.com might set a session cookie for api.example.net, logging the Guzzle client into their account and retrieving private API requests from the security log of their account.”

Guzzle is used to send HTTP requests from PHP programs for various use-cases.

The PSR-7-compatible library, which is approaching 22,000 stars on GitHub, is also used by Adobe’s e-commerce platform, Magento, among other applications, as well as by Laravel, the popular PHP web application framework.

However, only users that “manually add the cookie middleware to the handler stack or construct the client with [‘cookies’ => true] are affected”, explained the advisory. They must also use the same Guzzle client to call multiple domains and have redirect forwarding enabled to be vulnerable.

Guzzle maintainers have fixed the flaw in versions 6.5.6, 7.4.3, and 7.5.0, and advised users to ensure cookie middleware is disabled unless cookie support is required.

Drupal updates

In a security advisory issued on the same day as its Guzzle counterpart, Drupal said the Guzzle vulnerability “does not affect Drupal core, but may affect some contributed projects or custom code on Drupal sites”.

The issue has been patched in Drupal versions 9.3.14 and 9.2.20, with previous Drupal 9 versions no longer supported. Drupal 7 is not affected by the flaw.

Drupal classified the bug as ‘moderately critical’ on its own severity scale, assigning a score of 13 out of 25.

Source: https://portswigger.net/daily-swig/patch-released-for-cross-domain-cookie-leakage-flaw-in-guzzle

Click to comment

You May Also Like

Cyber Security

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has given federal agencies three weeks to secure Adobe ColdFusion servers on their networks against two...

Cyber Security

Businesses and developers are focusing more on the security of applications in their digital environment as cyber threats and data breaches continue escalating. The...

Cyber Security

HCL BigFix is an endpoint management platform that has the capability to automate discovery, management, and remediation. It can find and fix vulnerabilities on...

Cyber Security

The Environmental Protection Agency cited a lack of resources and the sheer volume of critical vulnerabilities as the reasons for its inability to patch...

Copyright © 2023 Newsworthy News | Global | Political | Local | All News | Website By: Top Search SEO

Exit mobile version