The Drupal security team has released a “moderately critical” advisory to call attention to serious vulnerabilities in a third-party library and warned that hackers can exploit the bugs to remotely hijack Drupal-powered websites.
The vulnerabilities, tracked as CVE-2022-31042 and CVE-2022-31043, were found and fixed in Guzzle, a third-party library that Drupal uses to handle HTTP requests and responses to external services.
“These do not affect Drupal core, but may affect some contributed projects or custom code on Drupal sites,” according to a Drupal advisory.
“We are issuing this security advisory outside our regular security release window schedule since Guzzle has already published information about the vulnerabilities, and vulnerabilities might exist in contributed modules or custom modules that use Guzzle for outgoing requests,” it added.
Guzzle has rated these vulnerabilities as high-risk and Drupal warns that the bugs may affect some contributed projects or custom code on Drupal sites.
“Exploitation of this vulnerability could allow a remote attacker to take control of an affected website,” the team warned.
Guzzle issued independent advisories documenting the bugs as a failure to strip the Cookie header on change in host or HTTP downgrade and a failure to strip Authorization header on HTTP downgrade.
The security team recommends its users install the latest versions (Drupal 9.2 through Drupal 9.4). It’s important to note that all versions of Drupal 9 prior to 9.2.x are end-of-life and do not receive security coverage.
Related: US Gov Warning: VPN, Network Perimeter Product Flaws Under Constant Attack
Related: Drupal Releases Out-of-Band Security Updates
Related: Access Bypass, Data Overwrite Vulnerabilities Patched in Drupal
Ryan Naraine is Editor-at-Large at SecurityWeek and host of the popular Security Conversations podcast series. He is a security community engagement expert who has built programs at major global brands, including Intel Corp., Bishop Fox and GReAT. Ryan is a founding-director of the Security Tinkerers non-profit, an advisor to early-stage entrepreneurs, and a regular speaker at security conferences around the world.
More from Ryan Naraine
- Backslash Snags $8M Seed Financing for AppSec Tech
- Oleria Scores $8M Seed Funding for ID Authentication Technology
- Aembit Scores $16.6M Seed Funding for Workload IAM Technology
- Project Zero: Samsung Mobile Chipsets Vulnerable to Baseband Code Execution Exploits
- Rapid7 Buys Anti-Ransomware Firm Minerva Labs for $38 Million
- Microsoft Pins Outlook Zero-Day Attacks on Russian Actor, Offers Detection Script
- Microsoft Warns of Outlook Zero-Day Exploitation, Patches 80 Security Vulns
- Adobe Warns of ‘Very Limited Attacks’ Exploiting ColdFusion Zero-Day
Latest News
- CISA, NSA Issue Guidance for IAM Administrators
- Analysis: SEC Cybersecurity Proposals and Biden’s National Cybersecurity Strategy
- Intel Boasts Attack Surface Reduction With New 13th Gen Core vPro Platform
- Cisco Patches High-Severity Vulnerabilities in IOS Software
- ‘Nexus’ Android Trojan Targets 450 Financial Applications
- Tackling the Challenge of Actionable Intelligence Through Context
- Dole Says Employee Information Compromised in Ransomware Attack
- Backslash Snags $8M Seed Financing for AppSec Tech
