Detections
Analytics
Drupal 9.2.x < 9.2.16 / 9.3.x < 9.3.9 Drupal Vulnerability (SA-CORE-2022-006)
high Nessus Plugin ID 159145
Language:
Synopsis
A PHP application running on the remote web server is affected by a vulnerability.Description
According to its self-reported version, the instance of Drupal running on the remote web server is 9.2.x prior to 9.2.16 or 9.3.x prior to 9.3.9. It is, therefore, affected by a vulnerability.- guzzlehttp/psr7 is a PSR-7 HTTP message library. Versions prior to 1.8.4 and 2.1.1 are vulnerable to improper header parsing. An attacker could sneak in a new line character and pass untrusted values. The issue is patched in 1.8.4 and 2.1.1. There are currently no known workarounds. (CVE-2022-24775)
Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.
Solution
Upgrade to Drupal version 9.2.16 / 9.3.9 or later.See Also
https://www.drupal.org/sa-core-2022-006
https://github.com/guzzle/psr7/security/advisories/GHSA-q7rv-6hp3-vh96
https://www.drupal.org/node/1173280
https://www.drupal.org/project/drupal/releases/9.2.16
Plugin Details
Severity: High
ID: 159145
File Name: drupal_9_3_9.nasl
Version: 1.4
Type: remote
Family: CGI abuses
Published: 3/22/2022
Updated: 4/26/2022
Configuration: Enable paranoid mode, Enable thorough checks
Supported Sensors: Nessus
Risk Information
VPR
Risk Factor: Low
Score: 3.6
CVSS v2
Risk Factor: Medium
Base Score: 5
Temporal Score: 3.7
Vector: CVSS2#AV:N/AC:L/Au:N/C:N/I:P/A:N
CVSS Score Source: CVE-2022-24775
CVSS v3
Risk Factor: High
Base Score: 7.5
Temporal Score: 6.5
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C
Vulnerability Information
CPE: cpe:/a:drupal:drupal
Required KB Items: Settings/ParanoidReport, installed_sw/Drupal
Exploit Ease: No known exploits are available
Patch Publication Date: 3/21/2022
Vulnerability Publication Date: 3/21/2022
Reference Information
CVE: CVE-2022-24775