CVE-2023-29197
php-guzzlehttp-psr7 - security update
Description
guzzlehttp/psr7 is a PSR-7 HTTP message library implementation in PHP. Affected versions are subject to improper header parsing. An attacker could sneak in a newline (\n) into both the header names and values. While the specification states that \r\n\r\n is used to terminate the header list, many servers in the wild will also accept \n\n. This is a follow-up to CVE-2022-24775 where the fix was incomplete. The issue has been patched in versions 1.9.1 and 2.4.5. There are no known workarounds for this vulnerability. Users are advised to upgrade.
How to fix CVE-2023-29197
To remediate CVE-2023-29197, upgrade the affected package to a fixed version below.
- —upgrade to 1.7.0-1+deb11u2 or later
- —upgrade to 1.4.2-0.1+deb10u2 or later
- —upgrade to 1.3.2-2+deb11u1 or later
- —upgrade to 1.9.1 or later
Is CVE-2023-29197 being exploited?
Low — EPSS is 4.8%, meaning exploitation activity has not been observed at scale.
Affected packages (4)
- from 0, < 1.7.0-1+deb11u2
- from 0, < 1.4.2-0.1+deb10u2
- from 0, < 1.3.2-2+deb11u1
- from 0, < 1.9.1
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | MEDIUM5.3 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N |