Security researchers have uncovered two vulnerabilities in the third-party library being used in Drupal. These vulnerabilities are assigned the identifier CVE-2022-31042 and CVE-2022-31043 are high severity vulnerabilities that could allow remote attackers to gain sensitive information on the affected systems. It is highly recommended to know more about the flaws and address them as soon as possible. We have published this post to show you how to fix CVE-2022-31042 and CVE-2022-31042, high severity sensitive information discloser vulnerabilities in Drupal and Guzzle, an open-source PHP HTTP client.
Table of Contents
What Is Drupal?
Drupal is a content management system (CMS) and platform for building websites and applications. It is free, open-source software that can be used by anyone to create and maintain a website. Drupal can be used to create everything from simple personal blogs to complex corporate websites, e-commerce sites, and social networking sites. Drupal is used by some of the largest organizations in the world, including NASA, The Guardian, and Harvard University.
Drupal is also popular among developers because it is very easy to customize and extend. There are Drupal modules (add-ons) for just about everything, and if you can’t find a module that does what you need, you can always create your own.
Drupal is written in PHP and uses a MySQL database. Drupal is released under the GNU General Public License, which means it is free to download and use. Drupal is developed and maintained by a community of volunteers from all over the world. Drupal is constantly being improved, and new versions are released regularly.
What Is Guzzle?
Guzzle is a PHP HTTP client that makes it easy to send HTTP requests and trivial to integrate with web services. Guzzle is especially useful for interacting with RESTful APIs. Guzzle attempts to remove as much boilerplate code as possible while still providing a rich set of features.
Guzzle is a framework agnostic PHP library that provides developers with an easy way to interact with web services. Guzzle is available for download from Packagist and can be installed using Composer. Guzzle is also available as a PEAR package and as a standalone part. Guzzle is released under the MIT license.
Guzzle can be used with any web service, including Amazon S3. Guzzle will provide you with the building blocks you need to get started. Guzzle takes the pain out of sending HTTP requests and the redundancy out of creating web service clients.
Summary Of CVE-2022-31042:
The flaw persists in a third-party library, Guzzle. Drupal uses Guzzle for handling HTTP requests and responses to external services. Technically, this flaw doesn’t affect Drupal core. However, some contributed projects or custom code on the Drupal sites may be affected.
If you ignore fixing this flaw. This could allow remote attackers to gain sensitive information on the affected systems. This flaw is simple enough to exploit that just a specially crafted HTTP request is enough. Here you see the vector table for the CVE-2022-31042 vulnerability.
Technical Details: Ideally, whenever there is a redirection to a host in the requests and in the case of HTTP downgrade, cookie headers should be removed in the forwarded response. Guzzle said that cookies managed by their middleware service would remove the cookie headers before the request was forwarded. However, manually added cookie headers would not be removed.
Associated CVE ID | CVE-2022-31042 |
Description | Failure to remove the Cookie header on change in host or HTTP downgrade |
Associated ZDI ID | – |
CVSS Score | 7.5 High |
Vector | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N |
Impact Score | – |
Exploitability Score | – |
Attack Vector (AV) | Network |
Attack Complexity (AC) | Low |
Privilege Required (PR) | None |
User Interaction (UI) | None |
Scope | Changed |
Confidentiality (C) | High |
Integrity (I) | None |
availability (a) | None |
Summary Of CVE-2022-31043:
The flaw persists in a third-party library, Guzzle. Drupal uses Guzzle for handling HTTP requests and responses to external services. Technically, this flaw doesn’t affect Drupal core. However, some contributed projects or custom code on the Drupal sites may be affected.
If you ignore fixing this flaw. This could allow remote attackers to gain sensitive information on the affected systems. This flaw is simple enough to exploit that just a specially crafted HTTP request is enough. Here you see the vector table for the CVE-2022-31043 vulnerability.
Technical Details: Ideally, whenever there is a redirection to a host in the requests and in the case of HTTP downgrade, authorization headers should be removed in the forwarded response. Guzzle said, “Prior to this fix, HTTPS to HTTP downgrades did not result in the Authorization header being removed, only changes to the host.”
Associated CVE ID | CVE-2022-31043 |
Description | Failure to remove the Authorization header on HTTP downgrade |
Associated ZDI ID | – |
CVSS Score | 7.5 High |
Vector | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N |
Impact Score | – |
Exploitability Score | – |
Attack Vector (AV) | Network |
Attack Complexity (AC) | Low |
Privilege Required (PR) | None |
User Interaction (UI) | None |
Scope | Unchanged |
Confidentiality (C) | High |
Integrity (I) | None |
availability (a) | None |
Versions Affected By CVE-2022-31042(3):
Advisory reports that Versions 9.4, 9.3, and 9.2 are affected. Any versions between 8 and 9.2 are neither tested nor released the patch since these versions are marked as end-of-life. If you are using any of these versions of Drupal, you may need to fix CVE-2022-31042(3) vulnerabilities.
Drupal Versions Affected:
- 9.2.0 to 9.2.20
- 9.3.0 to 9.3.15
- 9.4.0 rc1
Guzzle Versions Affected:
- < 6.5.7
- < 7.4.4
How To Fix CVE-2022-31042(3)- High Severity Sensitive Information Discloser Vulnerabilities In Drupal?
Drupal has released versions 9.2.21, 9.3.16, and 9.4.0 rc2 in response to the flaw. Install or upgrade Drupal to these suggested versions.
- Users of Drupal 9.4 need to update Drupal 9.4.0-rc2.
- Users of Drupal 9.3 need to update Drupal 9.3.16.
- Users of Drupal 9.2 need to update Drupal 9.2.21.
Drupal 8 to 9.2 are marked as end-of-life and no updates will be released. Users of Drupal 7 is need not to worry as v7 is not affected by these flaws.
Please pay attention to these commands to install or upgrade Drupal to the recommended versions.
Run this command to update your site and all dependencies to the latest version of Drupal:
$ composer update "drupal/core-*" --with-all-dependencies
Run this command to update your site to 9.2.21:
$ composer require drupal/core-recommended:9.2.21 drupal/core-composer-scaffold:9.2.21 drupal/core-project-message:9.2.21 --update-with-all-dependencies
Run this command to update your site to 9.3.16:
$ composer require drupal/core-recommended:9.3.16 drupal/core-composer-scaffold:9.3.16 drupal/core-project-message:9.3.16 --update-with-all-dependencies
Run this command to update your site to 9.4.0-rc2:
$ composer require drupal/core-recommended:[email protected] drupal/core-composer-scaffold:[email protected] drupal/core-project-message:[email protected] --update-with-all-dependencies
If you use Guzzle as a middleware in your development, then you should upgrade to Guzzle 7.4.4. IF you have any old versions of Guzzle like 6 and below, then you should upgrade to Guzzle 6.5.7 or 7.4.4.
If you are not in a position to upgrade Guzzle, then you should use a different or your own middleware or disable the redirects and HTTP downgrades.
We hope this post will help you how to fix CVE-2022-31042 and CVE-2022-31042, high severity sensitive information discloser vulnerabilities in Drupal and Guzzle. Please share this post and help to secure the digital world. Visit our social media page on Facebook, LinkedIn, Twitter, Telegram, Tumblr, & Medium and subscribe to receive updates like this.
原创文章,作者:ItWorker,如若转载,请注明出处:https://blog.ytso.com/tech/aiops/269864.html