Additional security flaws in the Guzzle library allow attackers to compromise vulnerable Drupal installations. Updates close the gaps.
In the content management system Drupal uses the component Guzzle, in which the developers have closed two security gaps. According to the US cyber security agency CISA, attackers could misuse the to take over vulnerable Drupal installations. The Drupal project responds with updated packages in which it fixes the vulnerabilities.
Vulnerabilities in Guzzle
“Cookie” headers in response to requests to the server carry sensitive information. In the case of https requests to the server, it could incorrectly forward such information if the server redirects the request to http or another host (CVE-2022-31042, CVSS 7.5, risk “high “). “Authorization” headers also contain sensitive data. They may exhibit the same misbehavior as the cookie headers (CVE-2022-31043, CVSS 7.5, high).
In their security advisory the Drupal developers write that the vulnerabilities do not affect the Drupal core, but potentially third-party modules and their own code extensions. However, they consider the risk so high that they release a security update out of the ordinary.
CISA also warns of the security vulnerabilities and recommends administrators to review the advisories in the Drupal security advisory and the updated ones to install packages. Drupal 9.2, 9.3 and 9.4 are affected. The updates to versions 9.2.21, 9.3.16 and 9.4.0-rc2 iron out the security-critical bugs. According to the release notes, the new versions only contain the security fixes.
Only two weeks have passed since other vulnerabilities in the Guzzle component threatened the security of the Drupal installation. CISA has already issued a warning and recommended applying the updates.