How severe is CVE-2022-31091?

This vulnerability has a severity rating of HIGH with a CVSS score of 7.7 out of 10.

What type of vulnerability is CVE-2022-31091?

This is classified as CWE-200, which is a common weakness in software security.

CVE-2022-31091

HIGH Year: 2022

CVSS v3 Score

7.7

High

CVSS v2 Score

4.0

Medium

Weakness Type

CWE-200

View all →

Vulnerability Description

Guzzle, an extensible PHP HTTP client. `Authorization` and `Cookie` headers on requests are sensitive information. In affected versions on making a request which responds with a redirect to a URI with a different port, if we choose to follow it, we should remove the `Authorization` and `Cookie` headers from the request, before containing. Previously, we would only consider a change in host or scheme. Affected Guzzle 7 users should upgrade to Guzzle 7.4.5 as soon as possible. Affected users using any earlier series of Guzzle should upgrade to Guzzle 6.5.8 or 7.4.5. Note that a partial fix was implemented in Guzzle 7.4.2, where a change in host would trigger removal of the curl-added Authorization header, however this earlier fix did not cover change in scheme or change in port. An alternative approach would be to use your own redirect middleware, rather than ours, if you are unable to upgrade. If you do not require or expect redirects to be followed, one should simply disable redirects all together.

CVE-2016-0267

HIGH

CVSS:7.7(High)

IBM UrbanCode Deploy 6.0.x before 6.0.1.13, 6.1.x before 6.1.3.3, and 6.2.x before 6.2.1.1 allows remote authenticated users to obtain sensitive cleartext secure-property information via (1) the serve...

CWE-2002016

CVE-2016-3473

HIGH

CVSS:7.7(High)

Unspecified vulnerability in the BI Publisher (formerly XML Publisher) component in Oracle Fusion Middleware 11.1.1.7.0, 11.1.1.9.0, and 12.2.1.0.0 allows remote authenticated users to affect confiden...

CWE-2002016

CVE-2016-3765

HIGH

CVSS:7.7(High)

decoder/impeg2d_bitstream.c in mediaserver in Android 6.x before 2016-07-01 allows attackers to obtain sensitive information from process memory or cause a denial of service (out-of-bounds read) via a...

CWE-2002016

CVE-2016-5565

HIGH

CVSS:7.7(High)

Unspecified vulnerability in the Oracle Hospitality OPERA 5 Property Services component in Oracle Hospitality Applications 5.4.0.0 through 5.4.3.0, 5.5.0.0, and 5.5.1.0 allows remote authenticated use...

CWE-2002016

CVE-2019-5534

HIGH

CVSS:7.7(High)

VMware vCenter Server (6.7.x prior to 6.7 U3, 6.5 prior to 6.5 U3 and 6.0 prior to 6.0 U3j) contains an information disclosure vulnerability where Virtual Machines deployed from an OVF could expose lo...

CWE-2002019

CVE-2020-4079

HIGH

CVSS:7.7(High)

Combodo iTop is a web based IT Service Management tool. In iTop before versions 2.7.2 and 2.8.0, when the ajax endpoint for the "excel export" portal functionality is called directly it allows getting...

CWE-2002020

CVE-2022-31091

Vulnerability Description

Related Vulnerabilities

CVE-2016-0267

CVE-2016-3473

CVE-2016-3765

CVE-2016-5565

CVE-2019-5534

CVE-2020-4079