Drupal Out-of-band security update addresses two vulnerabilities in the third-party library Guzzle [CVE-2022-31042 and CVE-2022-31043]
CVE numbers = CVE-2022-31042 and CVE-2022-31043
Drupal uses the third-party Guzzle library for handling HTTP requests and responses to external services. Guzzle has released two security advisories:
- Failure to strip the Cookie header on change in host or HTTP downgrade
- Fix failure to strip Authorization header on HTTP downgrade
These do not affect Drupal core, but may affect some contributed projects or custom code on Drupal sites.
Solution:
Install the latest version:
- If you are using Drupal 9.4, update to Drupal 9.4.0-rc2.
- If you are using Drupal 9.3, update to Drupal 9.3.16.
- If you are using Drupal 9.2, update to Drupal 9.2.21.
All versions of Drupal 9 prior to 9.2.x are end-of-life and do not receive security coverage. Note that Drupal 8 has reached its end of life.
Drupal 7 is not affected.
Advanced users may also work around this issue by temporarily using drupal/core
instead of drupal/core-recommended
and then updating Guzzle to the desired version. More information on managing Guzzle with Drupal 9.4.
![Drupal Out-of-band security update addresses two vulnerabilities in the third-party library Guzzle [CVE-2022-31042 and CVE-2022-31043]](https://i0.wp.com/www.systemtek.co.uk/wp-content/uploads/2022/01/blank-profile-hi.png?resize=100%2C100)
Duncan is a technology professional with over 20 years experience of working in various IT roles. He has a interest in cyber security, and has a wide range of other skills in radio, electronics and telecommunications.