CVE-2023-29197: Improper header name validation in guzzlehttp/psr7
First published: Mon Apr 17 2023(Updated: )
### Impact Improper header parsing. An attacker could sneak in a newline (`\n`) into both the header names and values. While the specification states that `\r\n\r\n` is used to terminate the header list, many servers in the wild will also accept `\n\n`. ### Patches The issue is patched in 1.9.1 and 2.4.5. ### Workarounds There are no known workarounds. ### References * https://www.rfc-editor.org/rfc/rfc7230#section-3.2.4
Credit: security-advisories@github.com security-advisories@github.com security-advisories@github.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| composer/guzzlehttp/psr7 | >=2<2.4.5<1.9.1 | |
| Guzzlephp Psr-7 | <1.9.1 | |
| Guzzlephp Psr-7 | >=2.0.0<2.4.5 | |
| Fedoraproject Fedora | =37 | |
| Fedoraproject Fedora | =38 | |
| composer/guzzlehttp/psr7 | >=2.0.0<2.4.5 | 2.4.5 |
| composer/guzzlehttp/psr7 | <1.9.1 | 1.9.1 |
| ubuntu/php-guzzlehttp-psr7 | <1.4.2-0.1+ | 1.4.2-0.1+ |
| ubuntu/php-guzzlehttp-psr7 | <1.8.3-1ubuntu0.1~ | 1.8.3-1ubuntu0.1~ |
| ubuntu/php-guzzlehttp-psr7 | <2.4.5 | 2.4.5 |
| ubuntu/php-nyholm-psr7 | <1.5.0-1ubuntu0.1~ | 1.5.0-1ubuntu0.1~ |
| ubuntu/php-nyholm-psr7 | <1.6.1 | 1.6.1 |
| debian/php-guzzlehttp-psr7 | 1.7.0-1+deb11u2 2.4.5-1 2.6.2-3 | |
| debian/php-nyholm-psr7 | 1.3.2-2+deb11u1 1.5.1-2 1.8.1-2 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://github.com/guzzle/psr7/security/advisories/GHSA-wxmh-65f7-jcvw
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=2022-24775
- https://github.com/guzzle/psr7/security/advisories/GHSA-q7rv-6hp3-vh96
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/FJANWDXJZE5BGLN4MQ4FEHV5LJ6CMKQF/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/O35UN4IK6VS2LXSRWUDFWY7NI73RKY2U/
- https://www.rfc-editor.org/rfc/rfc7230#section-3.2.4
- https://lists.debian.org/debian-lts-announce/2023/12/msg00028.html
- https://nvd.nist.gov/vuln/detail/CVE-2023-29197
- https://github.com/FriendsOfPHP/security-advisories/blob/master/guzzlehttp/psr7/CVE-2023-29197.yaml
- https://github.com/advisories/GHSA-wxmh-65f7-jcvw (Advisory)
- https://launchpad.net/bugs/cve/CVE-2023-29197
- https://github.com/guzzle/psr7/commit/0454e12ef0cd597ccd2adb036f7bda4e7fface66
- https://github.com/Nyholm/psr7/security/advisories/GHSA-wjfc-pgfp-pv9c
- https://github.com/Nyholm/psr7/commit/1029a2671cbdd3e075a21952082c2be7c8018426
- https://security-tracker.debian.org/tracker/CVE-2023-29197
- https://github.com/guzzle/psr7/commit/0454e12ef0cd597ccd2adb036f7bda4e7fface66 (2.4.5)
- https://github.com/Nyholm/psr7/commit/1029a2671cbdd3e075a21952082c2be7c8018426 (1.6.1)
- https://ubuntu.com/security/notices/USN-6670-1
- https://ubuntu.com/security/notices/USN-6671-1
- https://www.cve.org/CVERecord?id=CVE-2023-29197
- https://ubuntu.com/security/CVE-2023-29197
Frequently Asked Questions
What is CVE-2023-29197?
CVE-2023-29197 is a vulnerability in the guzzlehttp/psr7 library that allows for improper header validation, potentially enabling an attacker to inject malicious content into HTTP headers.
How does CVE-2023-29197 impact the guzzlehttp/psr7 library?
CVE-2023-29197 affects versions up to 2.4.5 and 1.9.1 of the guzzlehttp/psr7 library, allowing for improper parsing of newline characters in header names and values.
What is the severity of CVE-2023-29197?
CVE-2023-29197 has a severity rating of 7.5, which is classified as high.
How can I fix CVE-2023-29197 in my application?
To fix CVE-2023-29197, update the guzzlehttp/psr7 library to version 2.4.6 or higher.
Are there any references about CVE-2023-29197?
Yes, you can find more information about CVE-2023-29197 at the following references: - Advisory: https://github.com/guzzle/psr7/security/advisories/GHSA-wxmh-65f7-jcvw - CVE Entry: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2022-24775 - Advisory: https://github.com/guzzle/psr7/security/advisories/GHSA-q7rv-6hp3-vh96
- collector/friends-of-php
- collector/nvd-index
- collector/mitre-cve
- collector/github-advisory-latest
- alias/GHSA-wxmh-65f7-jcvw
- alias/CVE-2023-29197
- agent/type
- agent/last-modified-date
- agent/author
- agent/weakness
- agent/severity
- agent/title
- collector/nvd-api
- source/NVD
- agent/software-canonical-lookup
- collector/nvd-cve
- collector/github-advisory
- source/GitHub
- agent/first-publish-date
- agent/description
- collector/launchpad-cve
- source/Launchpad
- agent/event
- collector/usn-cve
- source/Ubuntu
- agent/references
- agent/tags
- collector/security-tracker-debian
- source/Debian
- agent/softwarecombine
- agent/trending
- package-manager/composer
- vendor/guzzlephp
- canonical/guzzlephp psr-7
- version/guzzlephp psr-7/2.0.0
- vendor/fedoraproject
- canonical/fedoraproject fedora
- version/fedoraproject fedora/37
- version/fedoraproject fedora/38
- package-manager/ubuntu
- package-manager/debian