According to its self-reported version, the instance of Drupal running on the remote web server is 9.2.x prior to 9.2.16 or 9.3.x prior to 9.3.9. It is, therefore, affected by an improper header parsing due to its usage of a third party component, Guzzle library for handling HTTP requests and responses to external services. An attacker could sneak in a new line character and pass untrusted values.

Note that the scanner has not tested for these issues but has instead relied only on the application's self-reported version number.

According to its self-reported version, the instance of Drupal running on the remote web server is 9.2.x prior to 9.2.16 or 9.3.x prior to 9.3.9. It is, therefore, affected by a vulnerability.

  - guzzlehttp/psr7 is a PSR-7 HTTP message library. Versions prior to 1.8.4 and 2.1.1 are vulnerable to     improper header parsing. An attacker could sneak in a new line character and pass untrusted values. The     issue is patched in 1.8.4 and 2.1.1. There are currently no known workarounds. (CVE-2022-24775)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote Ubuntu 20.04 LTS / 22.04 LTS host has a package installed that is affected by multiple vulnerabilities as referenced in the USN-6670-1 advisory.

    It was discovered that php-guzzlehttp-psr7 incorrectly parsed HTTP headers. A remote attacker could     possibly use these issues to perform an HTTP header injection attack.

Tenable has extracted the preceding description block directly from the Ubuntu security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

ID	Name	Product	Family	Published	Updated	Severity
113209	Drupal 9.2.x < 9.2.16 Third-Party Library Vulnerability	Web App Scanning	Component Vulnerability	3/22/2022	3/14/2023	high
113208	Drupal 9.3.x < 9.3.9 Third-Party Library Vulnerability	Web App Scanning	Component Vulnerability	3/22/2022	3/14/2023	high
159145	Drupal 9.2.x < 9.2.16 / 9.3.x < 9.3.9 Drupal Vulnerability (SA-CORE-2022-006)	Nessus	CGI abuses	3/22/2022	4/26/2022	high
191432	Ubuntu 20.04 LTS / 22.04 LTS : php-guzzlehttp-psr7 vulnerabilities (USN-6670-1)	Nessus	Ubuntu Local Security Checks	2/29/2024	8/27/2024	high

Detections

Analytics

Plugins Search

high

high

high

high