The Drupal security team has released a “moderately critical” advisory to call attention to serious vulnerabilities in a third-party library and warned that hackers can exploit the bugs to remotely hijack Drupal-powered websites.
The vulnerabilities, tracked as CVE-2022-31042 and CVE-2022-31043, were found and fixed in Guzzle, a third-party library that Drupal uses to handle HTTP requests and responses to external services.
“These do not affect Drupal core, but may affect some contributed projects or custom code on Drupal sites,” according to a Drupal advisory.
“We are issuing this security advisory outside our regular security release window schedule since Guzzle has already published information about the vulnerabilities, and vulnerabilities might exist in contributed modules or custom modules that use Guzzle for outgoing requests,” it added.
Guzzle has rated these vulnerabilities as high-risk and Drupal warns that the bugs may affect some contributed projects or custom code on Drupal sites.
“Exploitation of this vulnerability could allow a remote attacker to take control of an affected website,” the team warned.
Guzzle issued independent advisories documenting the bugs as a failure to strip the Cookie header on change in host or HTTP downgrade and a failure to strip Authorization header on HTTP downgrade.
The security team recommends its users install the latest versions (Drupal 9.2 through Drupal 9.4). It’s important to note that all versions of Drupal 9 prior to 9.2.x are end-of-life and do not receive security coverage.
Related: US Gov Warning: VPN, Network Perimeter Product Flaws Under Constant Attack
Related: Drupal Releases Out-of-Band Security Updates
Related: Access Bypass, Data Overwrite Vulnerabilities Patched in Drupal