Failure to strip Authentication header on HTTP downgrade in guzzle/guzzle

Valid

Reported on

Jun 4th 2022


The Guzzle redirect middleware fails to strip the Authorization header when a redirect downgrades from https to http. The middleware currently only checks if the host has changed.

Impact

Potential leakage of the secret to a man in the middle.

We are processing your report and will contact the guzzle team within 24 hours. 21 days ago
Graham Campbell
21 days ago

Researcher


@jamieslome, can you please approve this?

We have contacted a member of the guzzle team and are waiting to hear back 20 days ago
Jamie Slome validated this vulnerability 20 days ago

As requested by Graham above ☝️

Graham Campbell has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
Jamie Slome
20 days ago

Admin


@grahamcampbell - let me know when you are ready with a fix, and I will confirm this against the report as well 👍

Graham Campbell
17 days ago

Researcher


We have been allocated CVE-2022-31043. This NOT yet public, at this time.

Please find below the draft description (@jamieslome - please review this):

Impact

Authentication headers on requests are sensitive information. On making a request using the https scheme to a server which responds with a redirect to a URI with the http scheme, we should not forward the Authentication header on. This is much the same as to how we don't forward on the header if the host changes. Prior to this fix, https to http downgrades did not result in the Authentication header being removed, only changes to the host.

Patches

Affected Guzzle 7 users should upgrade to Guzzle 7.4.4 as soon as possible. Affected users using any earlier series of Guzzle should upgrade to Guzzle 6.5.7 or 7.4.4.

Workarounds

An alternative approach would be to use your own retry middleware, rather than ours, if you are unable to upgrade.

References

RFC9110 Section 15.4

For more information

If you have any questions or comments about this advisory, please get in touch with us in #guzzle on the PHP HTTP Slack. Do not report additional security advisories in that public channel, however - please follow our vulnerability reporting process.

Jamie Slome
17 days ago

Admin


@grahamcampbell - LGTM 👍

Are we able to add the huntr.dev report URL as a reference?

We have sent a fix follow up to the guzzle team. We will try again in 7 days. 17 days ago
Graham Campbell
16 days ago

Researcher


@jamieslome I am trying to mark this as fixed, by me, but it won't let me. Can you mark it as fixed, with the same details as I did for https://huntr.dev/bounties/3cbe222a-e6da-4347-85a2-433152c0ba15/?

Jamie Slome confirmed that a fix has been merged on 724562 16 days ago
Graham Campbell has been awarded the fix bounty
Jamie Slome
15 days ago

Admin


Sorted 👍

to join this conversation