SCA: security update for guzzlehttp/guzzle (GHSA-25mq-v84q-4j7r)

high Tenable Self-Hosted Container Security Plugin ID 408710

Description

There are packages installed that are affected by a vulnerability referenced in the following CVE:

- Guzzle, an extensible PHP HTTP client. `Authorization` headers on requests are sensitive information. In
affected versions when using our Curl handler, it is possible to use the `CURLOPT_HTTPAUTH` option to
specify an `Authorization` header. On making a request which responds with a redirect to a URI with a
different origin (change in host, scheme or port), if we choose to follow it, we should remove the
`CURLOPT_HTTPAUTH` option before continuing, stopping curl from appending the `Authorization` header to
the new request. Affected Guzzle 7 users should upgrade to Guzzle 7.4.5 as soon as possible. Affected
users using any earlier series of Guzzle should upgrade to Guzzle 6.5.8 or 7.4.5. Note that a partial fix
was implemented in Guzzle 7.4.2, where a change in host would trigger removal of the curl-added
Authorization header, however this earlier fix did not cover change in scheme or change in port. If you do
not require or expect redirects to be followed, one should simply disable redirects all together.
Alternatively, one can specify to use the Guzzle steam handler backend, rather than curl. (CVE-2022-31090)

See Also

https://github.com/advisories/GHSA-25mq-v84q-4j7r

Plugin Details

Severity: High

ID: 408710

Version: Revision 1.8

Type: Local

Family: SCA Checks

Published: 1/23/2025

Updated: 7/2/2026

Supported Sensors: Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: Low

Score: 3.3

Percentile: 50.87

Vendor

Vendor Severity: High

CVSS v2

Risk Factor: Medium

Base Score: 4

Temporal Score: 3

Vector: CVSS2#AV:N/AC:L/Au:S/C:P/I:N/A:N

CVSS Score Source: CVE-2022-31090

CVSS v3

Risk Factor: High

Base Score: 7.7

Temporal Score: 6.7

Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

Vulnerability Information

Exploit Ease: No known exploits are available

Patch Publication Date: 6/21/2022

Vulnerability Publication Date: 6/21/2022

Reference Information

CVE: CVE-2022-31090