Drupal 9.2.x < 9.2.20 / 9.3.x < 9.3.14 Drupal Vulnerability (SA-CORE-2022-010)

high Nessus Plugin ID 161505

Synopsis

A PHP application running on the remote web server is affected by a vulnerability.

Description

According to its self-reported version, the instance of Drupal running on the remote web server is 9.2.x prior to 9.2.20 or 9.3.x prior to 9.3.14. It is, therefore, affected by a vulnerability.

- Guzzle is a PHP HTTP client. Guzzle prior to versions 6.5.6 and 7.4.3 contains a vulnerability with the cookie middleware. The vulnerability is that it is not checked if the cookie domain equals the domain of the server which sets the cookie via the Set-Cookie header, allowing a malicious server to set cookies for unrelated domains. The cookie middleware is disabled by default, so most library consumers will not be affected by this issue. Only those who manually add the cookie middleware to the handler stack or construct the client with ['cookies' => true] are affected. Moreover, those who do not use the same Guzzle client to call multiple domains and have disabled redirect forwarding are not affected by this vulnerability. Guzzle versions 6.5.6 and 7.4.3 contain a patch for this issue. As a workaround, turn off the cookie middleware. (CVE-2022-29248)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

Solution

Upgrade to Drupal version 9.2.20 / 9.3.14 or later.

See Also

https://www.drupal.org/sa-core-2022-010

http://www.nessus.org/u?a3278cd0

https://www.drupal.org/node/1173280

https://www.drupal.org/project/drupal/releases/9.2.20

https://www.drupal.org/project/drupal/releases/9.3.14

https://www.drupal.org/psa-2021-06-29

Plugin Details

Severity: High

ID: 161505

File Name: drupal_9_3_14.nasl

Version: 1.3

Type: remote

Family: CGI abuses

Published: 5/25/2022

Updated: 6/8/2022

Configuration: Enable paranoid mode, Enable thorough checks

Supported Sensors: Nessus

Risk Information

VPR

Risk Factor: Medium

Score: 5.2

CVSS v2

Risk Factor: Medium

Base Score: 5.8

Temporal Score: 4.3

Vector: CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:N

CVSS Score Source: CVE-2022-29248

CVSS v3

Risk Factor: High

Base Score: 8.1

Temporal Score: 7.1

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

Vulnerability Information

CPE: cpe:/a:drupal:drupal

Required KB Items: installed_sw/Drupal, Settings/ParanoidReport

Exploit Ease: No known exploits are available

Patch Publication Date: 5/25/2022

Vulnerability Publication Date: 5/25/2022

Reference Information

CVE: CVE-2022-29248