According to its self-reported version, the instance of Drupal running on the remote web server is 9.2.x prior to 9.2.16 or 9.3.x prior to 9.3.9. It is, therefore, affected by an improper header parsing due to its usage of a third party component, Guzzle library for handling HTTP requests and responses to external services. An attacker could sneak in a new line character and pass untrusted values.

Note that the scanner has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote Debian 10 host has a package installed that is affected by multiple vulnerabilities as referenced in the dla-3705 advisory.

    -------------------------------------------------------------------------     Debian LTS Advisory DLA-3705-1                debian-lts@lists.debian.org     https://www.debian.org/lts/security/                       Guilhem Moulin     December 31, 2023                             https://wiki.debian.org/LTS
    -------------------------------------------------------------------------

    Package        : php-guzzlehttp-psr7     Version        : 1.4.2-0.1+deb10u2     CVE ID         : CVE-2023-29197     Debian Bug     : 1034581

    It was discovered that php-guzzlehttp-psr7, a PSR-7 message     implementation, performed improper header parsing, which may lead to     information disclosure or authorization bypass.

    An attacker could sneak in a newline (\n) into both the header names and     values.  While the specification states that \r\n\r\n is used to     terminate the header list, many servers in the wild will also accept     \n\n.

    This is a follow-up to CVE-2022-24775 where the fix was incomplete.

    For Debian 10 buster, these problems have been fixed in version     1.4.2-0.1+deb10u2.

    We recommend that you upgrade your php-guzzlehttp-psr7 packages.

    For the detailed security status of php-guzzlehttp-psr7 please refer to     its security tracker page at:
    https://security-tracker.debian.org/tracker/php-guzzlehttp-psr7

    Further information about Debian LTS security advisories, how to apply     these updates to your system and frequently asked questions can be     found at: https://wiki.debian.org/LTS     Attachment:
    signature.asc     Description: PGP signature

Tenable has extracted the preceding description block directly from the Debian security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available.

  - guzzlehttp/psr7 is a PSR-7 HTTP message library. Versions prior to 1.8.4 and 2.1.1 are vulnerable to     improper header parsing. An attacker could sneak in a new line character and pass untrusted values. The     issue is patched in 1.8.4 and 2.1.1. There are currently no known workarounds. (CVE-2022-24775)

Note that Nessus relies on the presence of the package as reported by the vendor.

The remote Ubuntu 20.04 LTS / 22.04 LTS host has a package installed that is affected by multiple vulnerabilities as referenced in the USN-6670-1 advisory.

    It was discovered that php-guzzlehttp-psr7 incorrectly parsed HTTP headers. A remote attacker could     possibly use these issues to perform an HTTP header injection attack.

Tenable has extracted the preceding description block directly from the Ubuntu security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

According to its self-reported version, the instance of Drupal running on the remote web server is 9.2.x prior to 9.2.16 or 9.3.x prior to 9.3.9. It is, therefore, affected by a vulnerability.

  - guzzlehttp/psr7 is a PSR-7 HTTP message library. Versions prior to 1.8.4 and 2.1.1 are vulnerable to     improper header parsing. An attacker could sneak in a new line character and pass untrusted values. The     issue is patched in 1.8.4 and 2.1.1. There are currently no known workarounds. (CVE-2022-24775)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

ID	Name	Product	Family	Published	Updated	Severity
113209	Drupal 9.2.x < 9.2.16 Third-Party Library Vulnerability	Web App Scanning	Component Vulnerability	3/22/2022	3/14/2023	high
113208	Drupal 9.3.x < 9.3.9 Third-Party Library Vulnerability	Web App Scanning	Component Vulnerability	3/22/2022	3/14/2023	high
214474	Debian dla-3705 : php-guzzlehttp-psr7 - security update	Nessus	Debian Local Security Checks	1/22/2025	1/22/2025	high
250697	Linux Distros Unpatched Vulnerability : CVE-2022-24775	Nessus	Misc.	8/18/2025	10/28/2025	high
191432	Ubuntu 20.04 LTS / 22.04 LTS : php-guzzlehttp-psr7 vulnerabilities (USN-6670-1)	Nessus	Ubuntu Local Security Checks	2/29/2024	8/27/2024	high
159145	Drupal 9.2.x < 9.2.16 / 9.3.x < 9.3.9 Drupal Vulnerability (SA-CORE-2022-006)	Nessus	CGI abuses	3/22/2022	4/26/2022	high

Detections

Analytics

Plugins Search

high

high

high

high

high

high