CVE-2022-29248— Guzzle 信息泄露漏洞

Cross-domain cookie leakage in Guzzle

Guzzle is a PHP HTTP client. Guzzle prior to versions 6.5.6 and 7.4.3 contains a vulnerability with the cookie middleware. The vulnerability is that it is not checked if the cookie domain equals the domain of the server which sets the cookie via the Set-Cookie header, allowing a malicious server to set cookies for unrelated domains. The cookie middleware is disabled by default, so most library consumers will not be affected by this issue. Only those who manually add the cookie middleware to the handler stack or construct the client with ['cookies' => true] are affected. Moreover, those who do not use the same Guzzle client to call multiple domains and have disabled redirect forwarding are not affected by this vulnerability. Guzzle versions 6.5.6 and 7.4.3 contain a patch for this issue. As a workaround, turn off the cookie middleware.

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:N

信息暴露

Guzzle 信息泄露漏洞

Guzzle是guzzlehttp个人开发者的一个 PHP HTTP 客户端，可以轻松发送 HTTP 请求并轻松与 Web 服务集成。 Guzzle 7.0.0版本至7.4.3版本，以及6.5.6之前的版本存在信息泄露漏洞，该漏洞允许恶意服务器为不相关的域设置cookie，攻击者可以利用该漏洞从Guzzle 客户端登录到他们的帐户，并从其帐户的安全日志中检索私有 API 请求。

N/A

N/A