Drupal Out-of-band security update addresses two vulnerabilities in the third-party library Guzzle [CVE-2022-31042 and CVE-2022-31043]
CVE numbers = CVE-2022-31042 and CVE-2022-31043
Drupal uses the third-party Guzzle library for handling HTTP requests and responses to external services. Guzzle has released two security advisories:
- Failure to strip the Cookie header on change in host or HTTP downgrade
- Fix failure to strip Authorization header on HTTP downgrade
These do not affect Drupal core, but may affect some contributed projects or custom code on Drupal sites.
Solution:
Install the latest version:
- If you are using Drupal 9.4, update to Drupal 9.4.0-rc2.
- If you are using Drupal 9.3, update to Drupal 9.3.16.
- If you are using Drupal 9.2, update to Drupal 9.2.21.
All versions of Drupal 9 prior to 9.2.x are end-of-life and do not receive security coverage. Note that Drupal 8 has reached its end of life.
Drupal 7 is not affected.
Advanced users may also work around this issue by temporarily using drupal/core
instead of drupal/core-recommended
and then updating Guzzle to the desired version. More information on managing Guzzle with Drupal 9.4.
Duncan is a technology professional with over 20 years experience of working in various IT roles. He has a interest in cyber security, and has a wide range of other skills in radio, electronics and telecommunications.