Drupal has patched a Guzzle third-party library vulnerability (CVE-2022-24775) that affects multiple versions of Drupal Core.
A remote attacker could exploit this vulnerability to compromise an affected system.
The Guzzle library is used for handling HTTP requests and responses to external services.
The Drupal security update SA-CORE-2022-006 was released outside the regular security release schedule since Guzzle previously published information about the vulnerability.
Drupal added that “vulnerabilities might exist with core, contributed modules, or custom modules that use Guzzle for outgoing requests.”
To add, Drupal stated that Guzzle rated the vulnerability CVE-2022-24775 as Low risk. The issue is fixed in Drupal 9.3.9 (using Drupal 9.3) and Drupal 9.2.16 (using Drupal 9.2).