7.5

CVE-2023-29197

EPSS 2.29%
Veröffentlicht 17.04.2023 22:15:09
Zuletzt bearbeitet 21.11.2024 07:56:41
Quelle security-advisories@github.com
CVE-Watchlists
Login
Unerledigt
Login

guzzlehttp/psr7 < 1.9.1 & 2.4.5 - Interpretation Conflict

guzzlehttp/psr7 is a PSR-7 HTTP message library implementation in PHP. Affected versions are subject to improper header parsing. An attacker could sneak in a newline (\n) into both the header names and values. While the specification states that \r\n\r\n is used to terminate the header list, many servers in the wild will also accept \n\n. This is a follow-up to CVE-2022-24775 where the fix was incomplete. The issue has been patched in versions 1.9.1 and 2.4.5. There are no known workarounds for this vulnerability. Users are advised to upgrade.

Mögliche Gegenmaßnahme

WP Offload Media Lite for Amazon S3, DigitalOcean Spaces, and Google Cloud Storage: Update to version 3.2.2, or a newer patched version

WP Offload SES Lite: Update to version 1.6.4, or a newer patched version

Betroffene Produkte Warnungen 0 Metriken 3 CWE 1 Referenzen 11

Weitere Schwachstelleninformationen

SystemWordPress Plugin

≫

Produkt WP Offload Media Lite for Amazon S3, DigitalOcean Spaces, and Google Cloud Storage

Version [*, 3.2.2)

SystemWordPress Plugin

≫

Produkt WP Offload SES Lite

Version [*, 1.6.4)

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Guzzlephp ≫ Psr-7 Version < 1.9.1

Guzzlephp ≫ Psr-7 Version >= 2.0.0 < 2.4.5

Fedoraproject ≫ Fedora Version37

Fedoraproject ≫ Fedora Version38

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	2.29%	0.842

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	7.5	3.9	3.6	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
security-advisories@github.com	5.3	3.9	1.4	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

CWE-436 Interpretation Conflict

Product A handles inputs or steps differently than Product B, which causes A to perform incorrect actions based on its perception of B's state.

https://github.com/guzzle/psr7/security/advisories/GHSA-q7rv-6hp3-vh96

Not Applicable

https://cve.mitre.org/cgi-bin/cvename.cgi?name=2022-24775

Not Applicable

https://github.com/guzzle/psr7/security/advisories/GHSA-wxmh-65f7-jcvw

Vendor Advisory

https://lists.debian.org/debian-lts-announce/2023/12/msg00028.html

https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/FJANWDXJZE5BGLN4MQ4FEHV5LJ6CMKQF/

Third Party Advisory

Mailing List

https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/O35UN4IK6VS2LXSRWUDFWY7NI73RKY2U/

Third Party Advisory

Mailing List

https://www.rfc-editor.org/rfc/rfc7230#section-3.2.4

Technical Description

https://www.wordfence.com/threat-intel/vulnerabilities/id/2638bb80-7066-45c0-ab74-4ba407d50cae

Third Party Advisory

https://nvd.nist.gov/vuln/detail/CVE-2023-29197

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2023-29197

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2023-29197

EUVD