CVE-2022-24775
Publication date 21 March 2022
Last updated 24 July 2024
Ubuntu priority
guzzlehttp/psr7 is a PSR-7 HTTP message library. Versions prior to 1.8.4 and 2.1.1 are vulnerable to improper header parsing. An attacker could sneak in a new line character and pass untrusted values. The issue is patched in 1.8.4 and 2.1.1. There are currently no known workarounds.
Status
| Package | Ubuntu Release | Status |
|---|---|---|
| php-guzzlehttp-psr7 | 24.10 oracular |
Not affected
|
| 24.04 LTS noble |
Not affected
|
|
| 22.04 LTS jammy |
Fixed 1.8.3-1ubuntu0.1~esm1
|
|
| 20.04 LTS focal |
Fixed 1.4.2-0.1+deb10u2build0.20.04.1
|
|
| 16.04 LTS xenial | Ignored backporting risks regressions | |
| 14.04 LTS trusty | Ignored end of standard support |
Get expanded security coverage with Ubuntu Pro
Reduce your average CVE exposure time from 98 days to 1 day with expanded CVE patching, ten-years security maintenance and optional support for the full stack of open-source applications. Free for personal use.
Get Ubuntu ProNotes
gianz
Version 1.4.2 requires refactoring of core functions to be fixed. Applying the patches to this version is likely to cause regressions.
Severity score breakdown
| Parameter | Value |
|---|---|
| Base score |
7.5 · High
|
| Attack vector | Network |
| Attack complexity | Low |
| Privileges required | None |
| User interaction | None |
| Scope | Unchanged |
| Confidentiality | None |
| Integrity impact | High |
| Availability impact | None |
| Vector | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N |
References
Related Ubuntu Security Notices (USN)
- USN-6670-1
- php-guzzlehttp-psr7 vulnerabilities
- 29 February 2024
Other references
- https://github.com/guzzle/psr7/security/advisories/GHSA-q7rv-6hp3-vh96
- https://github.com/guzzle/psr7/pull/485/commits/e55afaa3fc138c89adf3b55a8ba20dc60d17f1f1
- https://github.com/guzzle/psr7/pull/486/commits/9a96d9db668b485361ed9de7b5bf1e54895df1dc
- https://www.drupal.org/sa-core-2022-006
- https://www.cve.org/CVERecord?id=CVE-2022-24775