A third-party library tears security gaps into the CMS Drupal. The US cyber security agency CISA recommends updating.
The US Cyber security authority CISA warns of a vulnerability in the content management system (CMS) Drupal. This could potentially allow remote attackers to take control of an affected website.
The vulnerability is not found in the actual Drupal code, but in the third-party library Guzzle. In addition, Drupal handles HTTP requests and responses to external services. The Guzzle project has released an update that, while not affecting Drupal core, may affect contributed projects or custom code from Drupal sites.
Bugs in third-party library
The developers explain the vulnerability in the Guzzle project as “Cross-Domain Cookie Leakage”. The error consists in a non-existent check whether the domain of a cookie matches that of the server that sets it using the “Set-Cookie” header. A malicious server could use this to set cookies for other domains. As an example, the developers cite that www.example.com can set a session cookie for api.example.net. The Guzzle client logs into the account and can access the private API requests from the security log (CVE-2022-29248, CVSS 8.0, risk “high“. ;).
In their Security Advisory, the Drupal developers write that they are releasing the security advisory outside of the usual timeframe because the Guzzle project has already published information about the vulnerability. The vulnerability could appear in additional or custom modules that use Guzzle for outgoing HTTP requests. The Guzzle developers also classified the error as a high risk.
Drupal installations before the current version 9.3.14 and before 9.2.20 are affected. Drupal administrators should update to these as soon as possible. According to the release notes, the updated versions only contain the fix for the Guzzle vulnerability. Older versions, on the other hand, are no longer supported; Administrators should therefore bring their installations to a level that is still supported by the developers.
Vulnerabilities in the Guzzle library have already caused Drupal to release updated software in the past. Most recently, a bug in Guzzle’s handling of HTTP headers in mid-March this year was such a problem.