According to its self-reported version, the instance of Drupal running on the remote web server is 9.2.x prior to 9.2.16 or 9.3.x prior to 9.3.9. It is, therefore, affected by an improper header parsing due to its usage of a third party component, Guzzle library for handling HTTP requests and responses to external services. An attacker could sneak in a new line character and pass untrusted values.

Note that the scanner has not tested for these issues but has instead relied only on the application's self-reported version number.

According to its self-reported version, the instance of Drupal running on the remote web server is 9.2.x prior to 9.2.16 or 9.3.x prior to 9.3.9. It is, therefore, affected by a vulnerability.

  - guzzlehttp/psr7 is a PSR-7 HTTP message library. Versions prior to 1.8.4 and 2.1.1 are vulnerable to     improper header parsing. An attacker could sneak in a new line character and pass untrusted values. The     issue is patched in 1.8.4 and 2.1.1. There are currently no known workarounds. (CVE-2022-24775)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote Ubuntu 20.04 LTS / 22.04 LTS host has a package installed that is affected by multiple vulnerabilities as referenced in the USN-6670-1 advisory.

  - guzzlehttp/psr7 is a PSR-7 HTTP message library. Versions prior to 1.8.4 and 2.1.1 are vulnerable to     improper header parsing. An attacker could sneak in a new line character and pass untrusted values. The     issue is patched in 1.8.4 and 2.1.1. There are currently no known workarounds. (CVE-2022-24775)

  - guzzlehttp/psr7 is a PSR-7 HTTP message library implementation in PHP. Affected versions are subject to     improper header parsing. An attacker could sneak in a newline (\n) into both the header names and values.
    While the specification states that \r\n\r\n is used to terminate the header list, many servers in the     wild will also accept \n\n. This is a follow-up to CVE-2022-24775 where the fix was incomplete. The issue     has been patched in versions 1.9.1 and 2.4.5. There are no known workarounds for this vulnerability. Users     are advised to upgrade. (CVE-2023-29197)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

ID	Name	Product	Family	Published	Updated	Severity
113209	Drupal 9.2.x < 9.2.16 Third-Party Library Vulnerability	Web App Scanning	Component Vulnerability	3/22/2022	3/14/2023	high
113208	Drupal 9.3.x < 9.3.9 Third-Party Library Vulnerability	Web App Scanning	Component Vulnerability	3/22/2022	3/14/2023	high
159145	Drupal 9.2.x < 9.2.16 / 9.3.x < 9.3.9 Drupal Vulnerability (SA-CORE-2022-006)	Nessus	CGI abuses	3/22/2022	4/26/2022	high
191432	Ubuntu 20.04 LTS / 22.04 LTS : php-guzzlehttp-psr7 vulnerabilities (USN-6670-1)	Nessus	Ubuntu Local Security Checks	2/29/2024	3/6/2024	high

Detections

Analytics

Plugins Search

high

high

high

high