CVE-2023-29197
Publication date 17 April 2023
Last updated 24 July 2024
Ubuntu priority
guzzlehttp/psr7 is a PSR-7 HTTP message library implementation in PHP. Affected versions are subject to improper header parsing. An attacker could sneak in a newline (\n) into both the header names and values. While the specification states that \r\n\r\n is used to terminate the header list, many servers in the wild will also accept \n\n. This is a follow-up to CVE-2022-24775 where the fix was incomplete. The issue has been patched in versions 1.9.1 and 2.4.5. There are no known workarounds for this vulnerability. Users are advised to upgrade.
Status
| Package | Ubuntu Release | Status |
|---|---|---|
| php-guzzlehttp-psr7 | 24.10 oracular |
Not affected
|
| 24.04 LTS noble |
Not affected
|
|
| 22.04 LTS jammy |
Fixed 1.8.3-1ubuntu0.1~esm1
|
|
| 20.04 LTS focal |
Fixed 1.4.2-0.1+deb10u2build0.20.04.1
|
|
| 18.04 LTS bionic | Not in release | |
| 16.04 LTS xenial | Ignored backporting risks regressions | |
| 14.04 LTS trusty | Ignored end of standard support | |
| php-nyholm-psr7 | 24.10 oracular |
Not affected
|
| 24.04 LTS noble |
Not affected
|
|
| 22.04 LTS jammy |
Fixed 1.5.0-1ubuntu0.1~esm1
|
|
| 20.04 LTS focal | Ignored backporting risks regressions | |
| 18.04 LTS bionic | Not in release | |
| 16.04 LTS xenial | Ignored end of standard support | |
| 14.04 LTS trusty | Ignored end of standard support |
Get expanded security coverage with Ubuntu Pro
Reduce your average CVE exposure time from 98 days to 1 day with expanded CVE patching, ten-years security maintenance and optional support for the full stack of open-source applications. Free for personal use.
Get Ubuntu ProNotes
gianz
php-guzzlehttp-psr7 Version 1.4.2 requires refactoring of core functions to be fixed. Same story for php-nyholm-psr7 version 1.2.1. Applying the patches to this version is likely to cause regressions.
Severity score breakdown
| Parameter | Value |
|---|---|
| Base score |
7.5 · High
|
| Attack vector | Network |
| Attack complexity | Low |
| Privileges required | None |
| User interaction | None |
| Scope | Unchanged |
| Confidentiality | None |
| Integrity impact | High |
| Availability impact | None |
| Vector | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N |
References
Related Ubuntu Security Notices (USN)
- USN-6670-1
- php-guzzlehttp-psr7 vulnerabilities
- 29 February 2024
- USN-6671-1
- php-nyholm-psr7 vulnerability
- 29 February 2024
Other references
- https://github.com/guzzle/psr7/security/advisories/GHSA-wxmh-65f7-jcvw
- https://github.com/guzzle/psr7/commit/0454e12ef0cd597ccd2adb036f7bda4e7fface66 (2.4.5)
- https://github.com/Nyholm/psr7/security/advisories/GHSA-wjfc-pgfp-pv9c
- https://github.com/Nyholm/psr7/commit/1029a2671cbdd3e075a21952082c2be7c8018426 (1.6.1)
- https://github.com/guzzle/psr7/security/advisories/GHSA-q7rv-6hp3-vh96
- https://www.rfc-editor.org/rfc/rfc7230#section-3.2.4
- https://www.cve.org/CVERecord?id=CVE-2023-29197