Drupal has patched two Moderately Critical Guzzle Third-party library vulnerabilities that affect multiple versions of Drupal Core.
A remote attacker could exploit these vulnerabilities to compromise an affected system.
The Guzzle library is used for handling HTTP requests and responses to external services.
The Drupal third-party vulnerabilities (CVE-2022-31042 and CVE-2022-31043) are related to issues in cookie headers and authorization headers as noted in the following Guzzle advisories:
- CVE-2022-31042: Failure to strip the Cookie header on change in host or HTTP downgrade
- CVE-2022-31043: Fix failure to strip Authorization header on HTTP downgrade.
“We are issuing this security advisory outside our regular Drupal security release window schedule since Guzzle has already published information about the vulnerabilities, and vulnerabilities might exist in contributed modules or custom modules that use Guzzle for outgoing requests. Guzzle has rated these vulnerabilities as high-risk,” Drupal stated in the advisory.
The issues are fixed in Drupal 9.4.0-rc2 (if using 9.4), Drupal 9.3.16. (if using Drupal 9.3) and Drupal 9.2.21 (if using Drupal 9.2). All versions of Drupal 9 prior to 9.2.x and Drupal 8 are end-of-life. Drupal 7 is not affected.