How severe is CVE-2022-31090?

This vulnerability has a severity rating of HIGH with a CVSS score of 7.7 out of 10.

What type of vulnerability is CVE-2022-31090?

This is classified as CWE-200, which is a common weakness in software security.

CVE-2022-31090

HIGH Year: 2022

CVSS v3 Score

7.7

High

CVSS v2 Score

4.0

Medium

Weakness Type

CWE-200

View all →

Vulnerability Description

Guzzle, an extensible PHP HTTP client. `Authorization` headers on requests are sensitive information. In affected versions when using our Curl handler, it is possible to use the `CURLOPT_HTTPAUTH` option to specify an `Authorization` header. On making a request which responds with a redirect to a URI with a different origin (change in host, scheme or port), if we choose to follow it, we should remove the `CURLOPT_HTTPAUTH` option before continuing, stopping curl from appending the `Authorization` header to the new request. Affected Guzzle 7 users should upgrade to Guzzle 7.4.5 as soon as possible. Affected users using any earlier series of Guzzle should upgrade to Guzzle 6.5.8 or 7.4.5. Note that a partial fix was implemented in Guzzle 7.4.2, where a change in host would trigger removal of the curl-added Authorization header, however this earlier fix did not cover change in scheme or change in port. If you do not require or expect redirects to be followed, one should simply disable redirects all together. Alternatively, one can specify to use the Guzzle steam handler backend, rather than curl.

CVE-2016-0267

HIGH

CVSS:7.7(High)

IBM UrbanCode Deploy 6.0.x before 6.0.1.13, 6.1.x before 6.1.3.3, and 6.2.x before 6.2.1.1 allows remote authenticated users to obtain sensitive cleartext secure-property information via (1) the serve...

CWE-2002016

CVE-2016-3473

HIGH

CVSS:7.7(High)

Unspecified vulnerability in the BI Publisher (formerly XML Publisher) component in Oracle Fusion Middleware 11.1.1.7.0, 11.1.1.9.0, and 12.2.1.0.0 allows remote authenticated users to affect confiden...

CWE-2002016

CVE-2016-3765

HIGH

CVSS:7.7(High)

decoder/impeg2d_bitstream.c in mediaserver in Android 6.x before 2016-07-01 allows attackers to obtain sensitive information from process memory or cause a denial of service (out-of-bounds read) via a...

CWE-2002016

CVE-2016-5565

HIGH

CVSS:7.7(High)

Unspecified vulnerability in the Oracle Hospitality OPERA 5 Property Services component in Oracle Hospitality Applications 5.4.0.0 through 5.4.3.0, 5.5.0.0, and 5.5.1.0 allows remote authenticated use...

CWE-2002016

CVE-2019-5534

HIGH

CVSS:7.7(High)

VMware vCenter Server (6.7.x prior to 6.7 U3, 6.5 prior to 6.5 U3 and 6.0 prior to 6.0 U3j) contains an information disclosure vulnerability where Virtual Machines deployed from an OVF could expose lo...

CWE-2002019

CVE-2020-4079

HIGH

CVSS:7.7(High)

Combodo iTop is a web based IT Service Management tool. In iTop before versions 2.7.2 and 2.8.0, when the ajax endpoint for the "excel export" portal functionality is called directly it allows getting...

CWE-2002020

CVE-2022-31090

Vulnerability Description

Related Vulnerabilities

CVE-2016-0267

CVE-2016-3473

CVE-2016-3765

CVE-2016-5565

CVE-2019-5534

CVE-2020-4079