Security Experts:

Drupal Patches 'High-Risk' Third-Party Library Flaws

The Drupal security team has released a "moderately critical" advisory to call attention to serious vulnerabilities in a third-party library and warned that hackers can exploit the bugs to remotely hijack Drupal-powered websites.

The vulnerabilities, tracked as CVE-2022-31042 and CVE-2022-31043, were found and fixed in Guzzle, a third-party library that Drupal uses to handle HTTP requests and responses to external services.

"These do not affect Drupal core, but may affect some contributed projects or custom code on Drupal sites," according to a Drupal advisory

"We are issuing this security advisory outside our regular security release window schedule since Guzzle has already published information about the vulnerabilities, and vulnerabilities might exist in contributed modules or custom modules that use Guzzle for outgoing requests," it added.

Guzzle has rated these vulnerabilities as high-risk and Drupal warns that the bugs may affect some contributed projects or custom code on Drupal sites. 

"Exploitation of this vulnerability could allow a remote attacker to take control of an affected website," the team warned.

Guzzle issued independent advisories documenting the bugs as a failure to strip the Cookie header on change in host or HTTP downgrade and a failure to strip Authorization header on HTTP downgrade.

The security team recommends its users install the latest versions (Drupal 9.2 through Drupal 9.4). It's important to note that all versions of Drupal 9 prior to 9.2.x are end-of-life and do not receive security coverage.  

Related: US Gov Warning: VPN, Network Perimeter Product Flaws Under Constant Attack

Related: Drupal Releases Out-of-Band Security Updates

Related: Access Bypass, Data Overwrite Vulnerabilities Patched in Drupal

view counter
Ryan Naraine is Editor-at-Large at SecurityWeek and host of the popular Security Conversations podcast series. Ryan is a veteran cybersecurity strategist who has built security engagement programs at major global brands, including Intel Corp., Bishop Fox and Kaspersky GReAT. He is a co-founder of Threatpost and the global SAS conference series. Ryan's past career as a security journalist included bylines at major technology publications including Ziff Davis eWEEK, CBS Interactive's ZDNet, PCMag and PC World. Ryan is a director of the Security Tinkerers non-profit, an advisor to early-stage entrepreneurs, and a regular speaker at security conferences around the world. Follow Ryan on Twitter @ryanaraine.