Guzzle is a PHP HTTP client. Guzzle prior to versions 6.5.6 and 7.4.3 contains a vulnerability with the cookie middleware. The vulnerability is that it is not checked if the cookie domain equals the domain of the server which sets the cookie via the Set-Cookie header, allowing a malicious server to set cookies for unrelated domains. The cookie middleware is disabled by default, so most library consumers will not be affected by this issue. Only those who manually add the cookie middleware to the handler stack or construct the client with ['cookies' => true] are affected. Moreover, those who do not use the same Guzzle client to call multiple domains and have disabled redirect forwarding are not affected by this vulnerability. Guzzle versions 6.5.6 and 7.4.3 contain a patch for this issue. As a workaround, turn off the cookie middleware.

The remote Debian 11 host has packages installed that are affected by multiple vulnerabilities as referenced in the dsa-5246 advisory.

  - An issue was discovered in MediaWiki before 1.35.6, 1.36.x before 1.36.4, and 1.37.x before 1.37.2. Users     with the editinterface permission can trigger infinite recursion, because a bare local interwiki is     mishandled for the mainpage message. (CVE-2022-28201)

  - An XSS issue was discovered in MediaWiki before 1.35.6, 1.36.x before 1.36.4, and 1.37.x before 1.37.2.
    The widthheight, widthheightpage, and nbytes properties of messages are not escaped when used in galleries     or Special:RevisionDelete. (CVE-2022-28202)

  - A denial-of-service issue was discovered in MediaWiki before 1.35.6, 1.36.x before 1.36.4, and 1.37.x     before 1.37.2. When many files exist, requesting Special:NewFiles with actor as a condition can result in     a very long running query. (CVE-2022-28203)

  - Guzzle is a PHP HTTP client. Guzzle prior to versions 6.5.6 and 7.4.3 contains a vulnerability with the     cookie middleware. The vulnerability is that it is not checked if the cookie domain equals the domain of     the server which sets the cookie via the Set-Cookie header, allowing a malicious server to set cookies for     unrelated domains. The cookie middleware is disabled by default, so most library consumers will not be     affected by this issue. Only those who manually add the cookie middleware to the handler stack or     construct the client with ['cookies' => true] are affected. Moreover, those who do not use the same Guzzle     client to call multiple domains and have disabled redirect forwarding are not affected by this     vulnerability. Guzzle versions 6.5.6 and 7.4.3 contain a patch for this issue. As a workaround, turn off     the cookie middleware. (CVE-2022-29248)

  - Guzzle is an open source PHP HTTP client. In affected versions the `Cookie` headers on requests are     sensitive information. On making a request using the `https` scheme to a server which responds with a     redirect to a URI with the `http` scheme, or on making a request to a server which responds with a     redirect to a a URI to a different host, we should not forward the `Cookie` header on. Prior to this fix,     only cookies that were managed by our cookie middleware would be safely removed, and any `Cookie` header     manually added to the initial request would not be stripped. We now always strip it, and allow the cookie     middleware to re-add any cookies that it deems should be there. Affected Guzzle 7 users should upgrade to     Guzzle 7.4.4 as soon as possible. Affected users using any earlier series of Guzzle should upgrade to     Guzzle 6.5.7 or 7.4.4. Users unable to upgrade may consider an alternative approach to use your own     redirect middleware, rather than ours. If you do not require or expect redirects to be followed, one     should simply disable redirects all together. (CVE-2022-31042)

  - Guzzle is an open source PHP HTTP client. In affected versions `Authorization` headers on requests are     sensitive information. On making a request using the `https` scheme to a server which responds with a     redirect to a URI with the `http` scheme, we should not forward the `Authorization` header on. This is     much the same as to how we don't forward on the header if the host changes. Prior to this fix, `https` to     `http` downgrades did not result in the `Authorization` header being removed, only changes to the host.
    Affected Guzzle 7 users should upgrade to Guzzle 7.4.4 as soon as possible. Affected users using any     earlier series of Guzzle should upgrade to Guzzle 6.5.7 or 7.4.4. Users unable to upgrade may consider an     alternative approach which would be to use their own redirect middleware. Alternately users may simply     disable redirects all together if redirects are not expected or required. (CVE-2022-31043)

  - Guzzle, an extensible PHP HTTP client. `Authorization` headers on requests are sensitive information. In     affected versions when using our Curl handler, it is possible to use the `CURLOPT_HTTPAUTH` option to     specify an `Authorization` header. On making a request which responds with a redirect to a URI with a     different origin (change in host, scheme or port), if we choose to follow it, we should remove the     `CURLOPT_HTTPAUTH` option before continuing, stopping curl from appending the `Authorization` header to     the new request. Affected Guzzle 7 users should upgrade to Guzzle 7.4.5 as soon as possible. Affected     users using any earlier series of Guzzle should upgrade to Guzzle 6.5.8 or 7.4.5. Note that a partial fix     was implemented in Guzzle 7.4.2, where a change in host would trigger removal of the curl-added     Authorization header, however this earlier fix did not cover change in scheme or change in port. If you do     not require or expect redirects to be followed, one should simply disable redirects all together.
    Alternatively, one can specify to use the Guzzle steam handler backend, rather than curl. (CVE-2022-31090)

  - Guzzle, an extensible PHP HTTP client. `Authorization` and `Cookie` headers on requests are sensitive     information. In affected versions on making a request which responds with a redirect to a URI with a     different port, if we choose to follow it, we should remove the `Authorization` and `Cookie` headers from     the request, before containing. Previously, we would only consider a change in host or scheme. Affected     Guzzle 7 users should upgrade to Guzzle 7.4.5 as soon as possible. Affected users using any earlier series     of Guzzle should upgrade to Guzzle 6.5.8 or 7.4.5. Note that a partial fix was implemented in Guzzle     7.4.2, where a change in host would trigger removal of the curl-added Authorization header, however this     earlier fix did not cover change in scheme or change in port. An alternative approach would be to use your     own redirect middleware, rather than ours, if you are unable to upgrade. If you do not require or expect     redirects to be followed, one should simply disable redirects all together. (CVE-2022-31091)

  - An issue was discovered in MediaWiki before 1.35.7, 1.36.x and 1.37.x before 1.37.3, and 1.38.x before     1.38.1. XSS can occur in configurations that allow a JavaScript payload in a username. After account     creation, when it sets the page title to Welcome followed by the username, the username is not escaped:
    SpecialCreateAccount::successfulAction() calls ::showSuccessPage() with a message as second parameter, and     OutputPage::setPageTitle() uses text(). (CVE-2022-34911)

  - An issue was discovered in MediaWiki before 1.37.3 and 1.38.x before 1.38.1. The contributions-title, used     on Special:Contributions, is used as page title without escaping. Hence, in a non-default configuration     where a username contains HTML entities, it won't be escaped. (CVE-2022-34912)

  - Mediawiki reports: (T292763. CVE-2021-44854) REST API incorrectly publicly caches             autocomplete     search results from private wikis. (T271037, CVE-2021-44856) Title blocked in AbuseFilter can be created     via             Special:ChangeContentModel. (T297322, CVE-2021-44857) Unauthorized users can use     action=mcrundo to             replace the content of arbitrary pages.  (T297322, CVE-2021-44858)     Unauthorized users can view contents of private             wikis using various actions. (T297574,     CVE-2021-45038) Unauthorized users can access private wiki             contents using rollback action     (T293589, CVE-2021-44855) Blind Stored XSS in VisualEditor media dialog. (T294686) Special:Nuke doesn't     actually delete pages. (CVE-2021-44854, CVE-2021-44855, CVE-2021-44856)

  - Mediawiki reports: (T316304, CVE-2022-41767) SECURITY: reassignEdits doesn't update results             in     an IP range check on Special:Contributions.. (T309894, CVE-2022-41765) SECURITY: HTMLUserTextField exposes     existence             of hidden users.  (T307278, CVE-2022-41766) SECURITY: On action=rollback the message     alreadyrolled can leak revision deleted user name. (CVE-2022-41765, CVE-2022-41767)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The version of FreeBSD installed on the remote host is prior to tested version. It is, therefore, affected by multiple vulnerabilities as referenced in the 5ab54ea0-fa94-11ec-996c-080027b24e86 advisory.

  - A insufficiently protected credentials vulnerability in fixed in curl 7.83.0 might leak authentication or     cookie header data on HTTP redirects to the same host but another port number. (CVE-2022-27776)

  - Guzzle is a PHP HTTP client. Guzzle prior to versions 6.5.6 and 7.4.3 contains a vulnerability with the     cookie middleware. The vulnerability is that it is not checked if the cookie domain equals the domain of     the server which sets the cookie via the Set-Cookie header, allowing a malicious server to set cookies for     unrelated domains. The cookie middleware is disabled by default, so most library consumers will not be     affected by this issue. Only those who manually add the cookie middleware to the handler stack or     construct the client with ['cookies' => true] are affected. Moreover, those who do not use the same Guzzle     client to call multiple domains and have disabled redirect forwarding are not affected by this     vulnerability. Guzzle versions 6.5.6 and 7.4.3 contain a patch for this issue. As a workaround, turn off     the cookie middleware. (CVE-2022-29248)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

According to its self-reported version, the instance of Drupal running on the remote web server is 9.2.x prior to 9.2.20 or 9.3.x prior to 9.3.14. Drupal uses the third-party Guzzle library for handling HTTP requests and responses to external services. Guzzle has released a security update which does not affect Drupal core, but may affect some contributed projects or custom code on Drupal sites.

Note that the scanner has not tested for these issues but has instead relied only on the application's self-reported version number.

According to its self-reported version, the instance of Drupal running on the remote web server is 9.2.x prior to 9.2.20 or 9.3.x prior to 9.3.14. It is, therefore, affected by a vulnerability.

  - Guzzle is a PHP HTTP client. Guzzle prior to versions 6.5.6 and 7.4.3 contains a vulnerability with the     cookie middleware. The vulnerability is that it is not checked if the cookie domain equals the domain of     the server which sets the cookie via the Set-Cookie header, allowing a malicious server to set cookies for     unrelated domains. The cookie middleware is disabled by default, so most library consumers will not be     affected by this issue. Only those who manually add the cookie middleware to the handler stack or     construct the client with ['cookies' => true] are affected. Moreover, those who do not use the same Guzzle     client to call multiple domains and have disabled redirect forwarding are not affected by this     vulnerability. Guzzle versions 6.5.6 and 7.4.3 contain a patch for this issue. As a workaround, turn off     the cookie middleware. (CVE-2022-29248)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

ID	Name	Product	Family	Severity
165710	Debian DSA-5246-1 : mediawiki - security update	Nessus	Debian Local Security Checks	high
162698	FreeBSD : mediawiki -- multiple vulnerabilities (5ab54ea0-fa94-11ec-996c-080027b24e86)	Nessus	FreeBSD Local Security Checks	high
113246	Drupal 9.2.x < 9.2.20 Third-Party Library Vulnerability	Web App Scanning	Component Vulnerability	high
113245	Drupal 9.3.x < 9.3.14 Third-Party Library Vulnerability	Web App Scanning	Component Vulnerability	high
161505	Drupal 9.2.x < 9.2.20 / 9.3.x < 9.3.14 Drupal Vulnerability (SA-CORE-2022-010)	Nessus	CGI abuses	high

Detections

Analytics

CVE-2022-29248

high

Tenable Plugins

high

high

high

high

high