GHSA-m6ch-gg5f-wxx3

Suggest an improvement
Source
https://github.com/advisories/GHSA-m6ch-gg5f-wxx3
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/04/GHSA-m6ch-gg5f-wxx3/GHSA-m6ch-gg5f-wxx3.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-m6ch-gg5f-wxx3
Aliases
Published
2022-04-07T13:59:22Z
Modified
2023-11-08T03:58:31.024570Z
Severity
  • 8.1 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
Summary
HTTP Proxy header vulnerability
Details

PHP through 7.0.8 does not attempt to address RFC 3875 section 4.1.18 namespace conflicts and therefore does not protect applications from the presence of untrusted client data in the HTTPPROXY environment variable, which might allow remote attackers to redirect an application's outbound HTTP traffic to an arbitrary proxy server via a crafted Proxy header in an HTTP request, as demonstrated by (1) an application that makes a getenv('HTTPPROXY') call or (2) a CGI configuration of PHP, aka an "httpoxy" issue.

References

Affected packages

Packagist / guzzlehttp/guzzle

Package

Name
guzzlehttp/guzzle
Purl
pkg:composer/guzzlehttp/guzzle

Affected ranges

Type
ECOSYSTEM
Events
Introduced
6
Fixed
6.2.1

Affected versions

6.*

6.0.0
6.0.1
6.0.2
6.1.0
6.1.1
6.2.0

Packagist / guzzlehttp/guzzle

Package

Name
guzzlehttp/guzzle
Purl
pkg:composer/guzzlehttp/guzzle

Affected ranges

Type
ECOSYSTEM
Events
Introduced
4.0.0-rc2
Fixed
4.2.4

Affected versions

4.*

4.0.0-rc.2
4.0.0
4.0.1
4.0.2
4.1.0
4.1.1
4.1.2
4.1.3
4.1.4
4.1.5
4.1.6
4.1.7
4.1.8
4.2.0
4.2.1
4.2.2
4.2.3

Packagist / guzzlehttp/guzzle

Package

Name
guzzlehttp/guzzle
Purl
pkg:composer/guzzlehttp/guzzle

Affected ranges

Type
ECOSYSTEM
Events
Introduced
5
Fixed
5.3.1

Affected versions

5.*

5.0.0
5.0.1
5.0.2
5.0.3
5.1.0
5.2.0
5.3.0

Packagist / drupal/core

Package

Name
drupal/core
Purl
pkg:composer/drupal/core

Affected ranges

Type
ECOSYSTEM
Events
Introduced
8.0
Fixed
8.1.7

Affected versions

8.*

8.0.0-beta6
8.0.0-beta7
8.0.0-beta8
8.0.0-beta9
8.0.0-beta10
8.0.0-beta11
8.0.0-beta12
8.0.0-beta13
8.0.0-beta14
8.0.0-beta15
8.0.0-beta16
8.0.0-rc1
8.0.0-rc2
8.0.0-rc3
8.0.0-rc4
8.0.0
8.0.1
8.0.2
8.0.3
8.0.4
8.0.5
8.0.6
8.1.0-beta1
8.1.0-beta2
8.1.0-rc1
8.1.0
8.1.1
8.1.2
8.1.3
8.1.4
8.1.5
8.1.6

Packagist / bugsnag/bugsnag-laravel

Package

Name
bugsnag/bugsnag-laravel
Purl
pkg:composer/bugsnag/bugsnag-laravel

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
2.0.2

Affected versions

v1.*

v1.0.0
v1.0.1
v1.0.2
v1.0.3
v1.0.4
v1.0.5
v1.0.6
v1.0.7
v1.0.8
v1.0.9
v1.0.10
v1.1.0
v1.1.1
v1.2.0
v1.2.1
v1.3.0
v1.4.0
v1.4.1
v1.4.2
v1.5.0
v1.5.1
v1.6.0
v1.6.1
v1.6.2
v1.6.3
v1.6.4
v1.7.0

v2.*

v2.0.0
v2.0.1

Packagist / amphp/artax

Package

Name
amphp/artax
Purl
pkg:composer/amphp/artax

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
1.0.4

Affected versions

v0.*

v0.1.0
v0.3.7
v0.4.0
v0.5.0
v0.5.1
v0.6.0
v0.6.1
v0.6.2
v0.7.0
v0.7.1

v1.*

v1.0.0-alpha
v1.0.0-beta
v1.0.0-beta2
v1.0.0-rc1
v1.0.0-rc2
v1.0.0-rc3
v1.0.0-rc4
v1.0.0-rc5
v1.0.0-rc6
v1.0.0
v1.0.1
v1.0.2
v1.0.3

Packagist / amphp/artax

Package

Name
amphp/artax
Purl
pkg:composer/amphp/artax

Affected ranges

Type
ECOSYSTEM
Events
Introduced
2.0.0
Fixed
2.0.4

Affected versions

v2.*

v2.0.0
v2.0.1
v2.0.3

2.*

2.0.2

Packagist / padraic/humbug_get_contents

Package

Name
padraic/humbug_get_contents
Purl
pkg:composer/padraic/humbug_get_contents

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
1.1.2

Affected versions

1.*

1.0.0
1.0.1
1.0.2
1.0.3
1.0.4
1.1.0
1.1.1