7.5

CVE-2023-29197

EPSS 2.29%
Veröffentlicht 17.04.2023 22:15:09
Zuletzt bearbeitet 21.11.2024 07:56:41
Quelle security-advisories@github.com
Teams Watchlist Login
Unerledigt Login

guzzlehttp/psr7 is a PSR-7 HTTP message library implementation in PHP. Affected versions are subject to improper header parsing. An attacker could sneak in a newline (\n) into both the header names and values. While the specification states that \r\n\r\n is used to terminate the header list, many servers in the wild will also accept \n\n. This is a follow-up to CVE-2022-24775 where the fix was incomplete. The issue has been patched in versions 1.9.1 and 2.4.5. There are no known workarounds for this vulnerability. Users are advised to upgrade.

Betroffene Produkte Warnungen 0 Metriken 3 CWE 1 Referenzen 10

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Guzzlephp ≫ Psr-7 Version < 1.9.1

Guzzlephp ≫ Psr-7 Version >= 2.0.0 < 2.4.5

Fedoraproject ≫ Fedora Version37

Fedoraproject ≫ Fedora Version38

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	2.29%	0.841

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	7.5	3.9	3.6	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
security-advisories@github.com	5.3	3.9	1.4	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

CWE-436 Interpretation Conflict

Product A handles inputs or steps differently than Product B, which causes A to perform incorrect actions based on its perception of B's state.

https://github.com/guzzle/psr7/security/advisories/GHSA-q7rv-6hp3-vh96

Not Applicable

https://cve.mitre.org/cgi-bin/cvename.cgi?name=2022-24775

Not Applicable

https://github.com/guzzle/psr7/security/advisories/GHSA-wxmh-65f7-jcvw

Vendor Advisory

https://lists.debian.org/debian-lts-announce/2023/12/msg00028.html

https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/FJANWDXJZE5BGLN4MQ4FEHV5LJ6CMKQF/

Third Party Advisory

Mailing List

https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/O35UN4IK6VS2LXSRWUDFWY7NI73RKY2U/

Third Party Advisory

Mailing List

https://www.rfc-editor.org/rfc/rfc7230#section-3.2.4

Technical Description

https://nvd.nist.gov/vuln/detail/CVE-2023-29197

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2023-29197

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2023-29197

EUVD