SCA: security update for guzzlehttp/guzzle (GHSA-w248-ffj2-4v5q)

high Tenable Cloud Security Plugin ID 419622

Description

There are packages installed that are affected by a vulnerability referenced in the following CVE:

- Guzzle is an open source PHP HTTP client. In affected versions `Authorization` headers on requests are
sensitive information. On making a request using the `https` scheme to a server which responds with a
redirect to a URI with the `http` scheme, we should not forward the `Authorization` header on. This is
much the same as to how we don't forward on the header if the host changes. Prior to this fix, `https` to
`http` downgrades did not result in the `Authorization` header being removed, only changes to the host.
Affected Guzzle 7 users should upgrade to Guzzle 7.4.4 as soon as possible. Affected users using any
earlier series of Guzzle should upgrade to Guzzle 6.5.7 or 7.4.4. Users unable to upgrade may consider an
alternative approach which would be to use their own redirect middleware. Alternately users may simply
disable redirects all together if redirects are not expected or required. (CVE-2022-31043)

See Also

https://github.com/advisories/GHSA-w248-ffj2-4v5q

Plugin Details

Severity: High

ID: 419622

Version: Revision 1.7

Type: Local

Family: SCA Checks

Published: 1/23/2025

Updated: 7/2/2026

Supported Sensors: Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: Low

Score: 3

Percentile: 23.18

Vendor

Vendor Severity: High

CVSS v2

Risk Factor: Medium

Base Score: 5

Temporal Score: 3.7

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N

CVSS Score Source: CVE-2022-31043

CVSS v3

Risk Factor: High

Base Score: 7.5

Temporal Score: 6.5

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

Vulnerability Information

Exploit Ease: No known exploits are available

Patch Publication Date: 6/9/2022

Vulnerability Publication Date: 6/9/2022

Reference Information

CVE: CVE-2022-31043