CVE-2022-31043: Guzzlephp Guzzle Information Disclosure

CVE-2022-31043 Overview

CVE-2022-31043 is an information disclosure vulnerability in Guzzle, an open source PHP HTTP client. The vulnerability exists in the redirect middleware handling, where Authorization headers containing sensitive credentials are not properly stripped when a request is redirected from an https scheme to an http scheme. While Guzzle correctly removes the Authorization header when the host changes during a redirect, it failed to apply the same protection during HTTPS to HTTP protocol downgrades, potentially exposing authentication credentials over an insecure connection.

Critical Impact
Authentication credentials can be exposed in plaintext when Guzzle follows a redirect from HTTPS to HTTP, allowing network attackers to intercept sensitive authorization tokens and API keys.

Affected Products

Guzzle versions prior to 7.4.4 (Guzzle 7.x series)
Guzzle versions prior to 6.5.7 (Guzzle 6.x series)
Drupal (multiple versions that bundle Guzzle)
Debian Linux 11.0

Discovery Timeline

2022-06-10 - CVE-2022-31043 published to NVD
2024-11-21 - Last updated in NVD database

Technical Details for CVE-2022-31043

Vulnerability Analysis

This vulnerability represents an information exposure flaw (CWE-200, CWE-212) in Guzzle's redirect handling logic. The Authorization header typically contains sensitive credentials such as Bearer tokens, Basic authentication credentials, or API keys. According to RFC 9110, HTTP clients should exercise caution when redirecting requests, particularly when protocol security is downgraded.

When a client makes an authenticated request to an HTTPS endpoint and that server responds with a redirect (3xx status) to an HTTP URL, the Authorization header should be stripped before following the redirect. This is because the credentials would be transmitted in cleartext over the unencrypted HTTP connection, making them vulnerable to interception through man-in-the-middle attacks, network sniffing, or other passive eavesdropping techniques.

Prior to the fix, Guzzle's RedirectMiddleware only checked for host changes when determining whether to remove sensitive headers, but did not account for scheme downgrades from HTTPS to HTTP.

Root Cause

The root cause lies in incomplete security checks within the RedirectMiddleware.php component. The middleware was designed to protect sensitive headers when the destination host changes during redirects, but the security logic did not extend to protocol scheme changes. This oversight meant that while a redirect from https://api.example.com to https://attacker.com would correctly strip the Authorization header, a redirect from https://api.example.com to http://api.example.com would not.

Attack Vector

The attack vector is network-based and requires no privileges or user interaction. An attacker could exploit this vulnerability through several methods:

Malicious Redirect: An attacker controlling a server that a Guzzle client connects to could respond with a redirect to an HTTP endpoint they control, capturing the forwarded Authorization header
Man-in-the-Middle: An attacker in a position to intercept network traffic could observe the unencrypted HTTP request containing the leaked credentials
Compromised Infrastructure: A compromised intermediary server could redirect traffic to HTTP endpoints to harvest credentials

The security patch in src/RedirectMiddleware.php addresses this by adding checks for scheme downgrades:

php

     }
 
     /**
-     * Check for too many redirects
+     * Check for too many redirects.
      *
      * @throws TooManyRedirectsException Too many redirects.
      */

Source: GitHub Commit

The complete fix ensures that Authorization headers are removed when redirects transition from HTTPS to HTTP schemes.

Detection Methods for CVE-2022-31043

Indicators of Compromise

Unexpected HTTP (non-HTTPS) traffic containing Authorization headers from application servers
Network logs showing authentication tokens transmitted over unencrypted connections
Unusual redirect patterns in web server logs indicating HTTPS to HTTP downgrades
Authentication tokens appearing in cleartext in network captures or proxy logs

Detection Strategies

Audit PHP application dependencies using composer show guzzlehttp/guzzle to identify vulnerable Guzzle versions
Implement network monitoring to detect Authorization headers in unencrypted HTTP traffic
Review application logs for redirect chains that downgrade from HTTPS to HTTP
Deploy software composition analysis (SCA) tools to identify vulnerable Guzzle versions across your codebase

Monitoring Recommendations

Configure network intrusion detection systems to alert on sensitive headers in HTTP traffic
Enable verbose logging in Guzzle clients to track redirect behavior during security audits
Monitor for credential reuse or unauthorized access that may indicate leaked authentication tokens
Implement TLS inspection where appropriate to identify protocol downgrade attempts

How to Mitigate CVE-2022-31043

Immediate Actions Required

Upgrade Guzzle 7.x installations to version 7.4.4 or later immediately
Upgrade Guzzle 6.x installations to version 6.5.7 or later
Update Drupal installations following the guidance in Drupal Security Advisory SA-CORE-2022-011
Rotate any API keys or authentication tokens that may have been exposed through vulnerable applications

Patch Information

The vulnerability is fixed in Guzzle versions 7.4.4 and 6.5.7. The patch modifies the RedirectMiddleware to properly strip Authorization headers when redirects result in a protocol downgrade from HTTPS to HTTP. Detailed patch information is available in the GitHub Security Advisory. Debian users should apply the patches referenced in DSA-5246.

Workarounds

Implement custom redirect middleware that strips Authorization headers on scheme downgrades
Disable automatic redirect following in Guzzle by setting 'allow_redirects' => false in request options
Handle redirects manually in application code with explicit security checks
Configure Guzzle to reject redirects that would downgrade the connection security

bash

# Update Guzzle via Composer to the patched version
composer require guzzlehttp/guzzle:^7.4.4

# Or for Guzzle 6.x series
composer require guzzlehttp/guzzle:^6.5.7

# Verify the installed version
composer show guzzlehttp/guzzle

CVE-2022-31043 Overview

Critical Impact
Authentication credentials can be exposed in plaintext when Guzzle follows a redirect from HTTPS to HTTP, allowing network attackers to intercept sensitive authorization tokens and API keys.

Affected Products

Guzzle versions prior to 7.4.4 (Guzzle 7.x series)
Guzzle versions prior to 6.5.7 (Guzzle 6.x series)
Drupal (multiple versions that bundle Guzzle)
Debian Linux 11.0

Discovery Timeline

2022-06-10 - CVE-2022-31043 published to NVD
2024-11-21 - Last updated in NVD database

Technical Details for CVE-2022-31043

Vulnerability Analysis

Prior to the fix, Guzzle's RedirectMiddleware only checked for host changes when determining whether to remove sensitive headers, but did not account for scheme downgrades from HTTPS to HTTP.

Root Cause

Attack Vector

The attack vector is network-based and requires no privileges or user interaction. An attacker could exploit this vulnerability through several methods:

Malicious Redirect: An attacker controlling a server that a Guzzle client connects to could respond with a redirect to an HTTP endpoint they control, capturing the forwarded Authorization header
Man-in-the-Middle: An attacker in a position to intercept network traffic could observe the unencrypted HTTP request containing the leaked credentials
Compromised Infrastructure: A compromised intermediary server could redirect traffic to HTTP endpoints to harvest credentials

The security patch in src/RedirectMiddleware.php addresses this by adding checks for scheme downgrades:

php

     }
 
     /**
-     * Check for too many redirects
+     * Check for too many redirects.
      *
      * @throws TooManyRedirectsException Too many redirects.
      */

Source: GitHub Commit

The complete fix ensures that Authorization headers are removed when redirects transition from HTTPS to HTTP schemes.

Detection Methods for CVE-2022-31043

Indicators of Compromise

Unexpected HTTP (non-HTTPS) traffic containing Authorization headers from application servers
Network logs showing authentication tokens transmitted over unencrypted connections
Unusual redirect patterns in web server logs indicating HTTPS to HTTP downgrades
Authentication tokens appearing in cleartext in network captures or proxy logs

Detection Strategies

Audit PHP application dependencies using composer show guzzlehttp/guzzle to identify vulnerable Guzzle versions
Implement network monitoring to detect Authorization headers in unencrypted HTTP traffic
Review application logs for redirect chains that downgrade from HTTPS to HTTP
Deploy software composition analysis (SCA) tools to identify vulnerable Guzzle versions across your codebase

Monitoring Recommendations

Configure network intrusion detection systems to alert on sensitive headers in HTTP traffic
Enable verbose logging in Guzzle clients to track redirect behavior during security audits
Monitor for credential reuse or unauthorized access that may indicate leaked authentication tokens
Implement TLS inspection where appropriate to identify protocol downgrade attempts

How to Mitigate CVE-2022-31043

Immediate Actions Required

Upgrade Guzzle 7.x installations to version 7.4.4 or later immediately
Upgrade Guzzle 6.x installations to version 6.5.7 or later
Update Drupal installations following the guidance in Drupal Security Advisory SA-CORE-2022-011
Rotate any API keys or authentication tokens that may have been exposed through vulnerable applications

Patch Information

Workarounds

Implement custom redirect middleware that strips Authorization headers on scheme downgrades
Disable automatic redirect following in Guzzle by setting 'allow_redirects' => false in request options
Handle redirects manually in application code with explicit security checks
Configure Guzzle to reject redirects that would downgrade the connection security

bash

# Update Guzzle via Composer to the patched version
composer require guzzlehttp/guzzle:^7.4.4

# Or for Guzzle 6.x series
composer require guzzlehttp/guzzle:^6.5.7

# Verify the installed version
composer show guzzlehttp/guzzle

CVE-2022-31043: Guzzlephp Guzzle Information Disclosure

CVE-2022-31043 Overview

Critical Impact

Affected Products

Discovery Timeline

Technical Details for CVE-2022-31043

Vulnerability Analysis

Root Cause

Attack Vector

Detection Methods for CVE-2022-31043

Indicators of Compromise

Detection Strategies

Monitoring Recommendations

How to Mitigate CVE-2022-31043

Immediate Actions Required

Patch Information

Workarounds

Experience the World’s Most Advanced Cybersecurity Platform

CVE-2022-31043: Guzzlephp Guzzle Information Disclosure

CVE-2022-31043 Overview

Critical Impact

Affected Products

Discovery Timeline

Technical Details for CVE-2022-31043

Vulnerability Analysis

Root Cause

Attack Vector

Detection Methods for CVE-2022-31043

Indicators of Compromise

Detection Strategies

Monitoring Recommendations

How to Mitigate CVE-2022-31043

Immediate Actions Required

Patch Information

Workarounds

Experience the World’s Most Advanced Cybersecurity Platform