Cross Domain Cookie leverage in Guzzle fixed
Developers of Guzzle, have addressed a high severity vulnerability leading to cross-domain cookie leakage.
Open source content management system Drupal, is among the applications that use the third-party library and has released software updates addressing the issue.
The flaw resides in Guzzle’s cookie middleware, which is disabled by default, most library consumers will not be affected by this issue.
Tracked as CVE-2022-29248, not much critical the bug centers on a failure to check if the cookie domain equals the domain of the server which sets the cookie via the Set-Cookie header. This would allow a malicious server to set cookies for unrelated domains.
Guzzle is used to send HTTP requests from PHP programs for various use-cases.
The PSR-7-compatible library, which is approaching 22,000 stars on GitHub, is also used by Adobe’s e-commerce platform, Magento, among other applications, as well as by Laravel, the popular PHP web application framework.
Users who manually add the cookie middleware to the handler stack or construct the client with [‘cookies’ => true] are affected. They must also use the same Guzzle client to call multiple domains and have redirect forwarding enabled to be vulnerable.
In an advisory issued by Guzzle counterpart, Drupal said the Guzzle vulnerability does not affect Drupal core, but may affect some contributed projects or custom code on Drupal sites.
The flaw is fixed in versions 6.5.6, 7.4.3, and 7.5.0, and advised users to ensure cookie middleware is disabled unless cookie support is required.
The issue has been patched in Drupal versions 9.3.14 and 9.2.20, with previous Drupal 9 versions no longer supported. Drupal 7 is not affected by the flaw.