Security researchers have uncovered two vulnerabilities in the third-party library being used in Drupal. These vulnerabilities are assigned the identifier CVE-2022-31042 and CVE-2022-31043 are high severity vulnerabilities that could allow remote attackers to gain sensitive information on the affected systems. It is highly recommended to know more about the flaws and address them as soon as possible. We have published this post to show you how to fix CVE-2022-31042 and CVE-2022-31042, high severity sensitive information discloser vulnerabilities in Drupal and Guzzle, an open-source PHP HTTP client.
Drupal is a content management system (CMS) and platform for building websites and applications. It is free, open-source software that can be used by anyone to create and maintain a website. Drupal can be used to create everything from simple personal blogs to complex corporate websites, e-commerce sites, and social networking sites. Drupal is used by some of the largest organizations in the world, including NASA, The Guardian, and Harvard University.
Drupal is also popular among developers because it is very easy to customize and extend. There are Drupal modules (add-ons) for just about everything, and if you can’t find a module that does what you need, you can always create your own.
Drupal is written in PHP and uses a MySQL database. Drupal is released under the GNU General Public License, which means it is free to download and use. Drupal is developed and maintained by a community of volunteers from all over the world. Drupal is constantly being improved, and new versions are released regularly.
Guzzle is a PHP HTTP client that makes it easy to send HTTP requests and trivial to integrate with web services. Guzzle is especially useful for interacting with RESTful APIs. Guzzle attempts to remove as much boilerplate code as possible while still providing a rich set of features.
Guzzle is a framework agnostic PHP library that provides developers with an easy way to interact with web services. Guzzle is available for download from Packagist and can be installed using Composer. Guzzle is also available as a PEAR package and as a standalone part. Guzzle is released under the MIT license.
Guzzle can be used with any web service, including Amazon S3. Guzzle will provide you with the building blocks you need to get started. Guzzle takes the pain out of sending HTTP requests and the redundancy out of creating web service clients.
The flaw persists in a third-party library, Guzzle. Drupal uses Guzzle for handling HTTP requests and responses to external services. Technically, this flaw doesn’t affect Drupal core. However, some contributed projects or custom code on the Drupal sites may be affected.
If you ignore fixing this flaw. This could allow remote attackers to gain sensitive information on the affected systems. This flaw is simple enough to exploit that just a specially crafted HTTP request is enough. Here you see the vector table for the CVE-2022-31042 vulnerability.
Technical Details: Ideally, whenever there is a redirection to a host in the requests and in the case of HTTP downgrade, cookie headers should be removed in the forwarded response. Guzzle said that cookies managed by their middleware service would remove the cookie headers before the request was forwarded. However, manually added cookie headers would not be removed.
Associated CVE ID | CVE-2022-31042 |
Description | Failure to remove the Cookie header on change in host or HTTP downgrade |
Associated ZDI ID | – |
CVSS Score | 7.5 High |
Vector | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N |
Impact Score | – |
Exploitability Score | – |
Attack Vector (AV) | Network |
Attack Complexity (AC) | Low |
Privilege Required (PR) | None |
User Interaction (UI) | None |
Scope | Changed |
Confidentiality (C) | High |
Integrity (I) | None |
availability (a) | None |
The flaw persists in a third-party library, Guzzle. Drupal uses Guzzle for handling HTTP requests and responses to external services. Technically, this flaw doesn’t affect Drupal core. However, some contributed projects or custom code on the Drupal sites may be affected.
If you ignore fixing this flaw. This could allow remote attackers to gain sensitive information on the affected systems. This flaw is simple enough to exploit that just a specially crafted HTTP request is enough. Here you see the vector table for the CVE-2022-31043 vulnerability.
Technical Details: Ideally, whenever there is a redirection to a host in the requests and in the case of HTTP downgrade, authorization headers should be removed in the forwarded response. Guzzle said, “Prior to this fix, HTTPS to HTTP downgrades did not result in the Authorization header being removed, only changes to the host.”
Associated CVE ID | CVE-2022-31043 |
Description | Failure to remove the Authorization header on HTTP downgrade |
Associated ZDI ID | – |
CVSS Score | 7.5 High |
Vector | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N |
Impact Score | – |
Exploitability Score | – |
Attack Vector (AV) | Network |
Attack Complexity (AC) | Low |
Privilege Required (PR) | None |
User Interaction (UI) | None |
Scope | Unchanged |
Confidentiality (C) | High |
Integrity (I) | None |
availability (a) | None |
Advisory reports that Versions 9.4, 9.3, and 9.2 are affected. Any versions between 8 and 9.2 are neither tested nor released the patch since these versions are marked as end-of-life. If you are using any of these versions of Drupal, you may need to fix CVE-2022-31042(3) vulnerabilities.
Drupal Versions Affected:
9.2.0 to 9.2.20
9.3.0 to 9.3.15
9.4.0 rc1
Guzzle Versions Affected:
< 6.5.7
< 7.4.4
Drupal has released versions 9.2.21, 9.3.16, and 9.4.0 rc2 in response to the flaw. Install or upgrade Drupal to these suggested versions.
Users of Drupal 9.4 need to update Drupal 9.4.0-rc2.
Users of Drupal 9.3 need to update Drupal 9.3.16.
Users of Drupal 9.2 need to update Drupal 9.2.21.
Drupal 8 to 9.2 are marked as end-of-life and no updates will be released. Users of Drupal 7 is need not to worry as v7 is not affected by these flaws.
Please pay attention to these commands to install or upgrade Drupal to the recommended versions.
Run this command to update your site and all dependencies to the latest version of Drupal:
$ composer update "drupal/core-*" --with-all-dependencies
Run this command to update your site to 9.2.21:
$ composer require drupal/core-recommended:9.2.21 drupal/core-composer-scaffold:9.2.21 drupal/core-project-message:9.2.21 --update-with-all-dependencies
Run this command to update your site to 9.3.16:
$ composer require drupal/core-recommended:9.3.16 drupal/core-composer-scaffold:9.3.16 drupal/core-project-message:9.3.16 --update-with-all-dependencies
Run this command to update your site to 9.4.0-rc2:
$ composer require drupal/core-recommended:9.4.0-rc2@RC drupal/core-composer-scaffold:9.4.0-rc2@RC drupal/core-project-message:9.4.0-rc2@RC --update-with-all-dependencies
If you use Guzzle as a middleware in your development, then you should upgrade to Guzzle 7.4.4. IF you have any old versions of Guzzle like 6 and below, then you should upgrade to Guzzle 6.5.7 or 7.4.4.
If you are not in a position to upgrade Guzzle, then you should use a different or your own middleware or disable the redirects and HTTP downgrades.
We hope this post would help you how to fix CVE-2022-31042 and CVE-2022-31042, high severity sensitive information discloser vulnerabilities in Drupal and Guzzle. Please share this post and help to secure the digital world. Visit our social media page on Facebook, LinkedIn, Twitter, Telegram, Tumblr, Medium & Instagram, and subscribe to receive updates like this.
You may also like these articles:
Arun KL is a cybersecurity professional with 15+ years of experience in IT infrastructure, cloud security, vulnerability management, Penetration Testing, security operations, and incident response. He is adept at designing and implementing robust security solutions to safeguard systems and data. Arun holds multiple industry certifications including CCNA, CCNA Security, RHCE, CEH, and AWS Security.
“Knowledge Arsenal: Empowering Your Security Journey through Continuous Learning”
"Cybersecurity All-in-One For Dummies" offers a comprehensive guide to securing personal and business digital assets from cyber threats, with actionable insights from industry experts.
BurpGPT is a cutting-edge Burp Suite extension that harnesses the power of OpenAI's language models to revolutionize web application security testing. With customizable prompts and advanced AI capabilities, BurpGPT enables security professionals to uncover bespoke vulnerabilities, streamline assessments, and stay ahead of evolving threats.
PentestGPT, developed by Gelei Deng and team, revolutionizes penetration testing by harnessing AI power. Leveraging OpenAI's GPT-4, it automates and streamlines the process, making it efficient and accessible. With advanced features and interactive guidance, PentestGPT empowers testers to identify vulnerabilities effectively, representing a significant leap in cybersecurity.
Tenable BurpGPT is a powerful Burp Suite extension that leverages OpenAI's advanced language models to analyze HTTP traffic and identify potential security risks. By automating vulnerability detection and providing AI-generated insights, BurpGPT dramatically reduces manual testing efforts for security researchers, developers, and pentesters.
Microsoft Security Copilot is a revolutionary AI-powered security solution that empowers cybersecurity professionals to identify and address potential breaches effectively. By harnessing advanced technologies like OpenAI's GPT-4 and Microsoft's extensive threat intelligence, Security Copilot streamlines threat detection and response, enabling defenders to operate at machine speed and scale.