CVE-2022-36032 in HTTPthông tin

Tóm tắt

Bởi MITRE • 06/09/2022

ReactPHP HTTP is a streaming HTTP client and server implementation for ReactPHP. In ReactPHP's HTTP server component versions starting with 0.7.0 and prior to 1.7.0, when ReactPHP is processing incoming HTTP cookie values, the cookie names are url-decoded. This may lead to cookies with prefixes like `__Host-` and `__Secure-` confused with cookies that decode to such prefix, thus leading to an attacker being able to forge cookie which is supposed to be secure. This issue is fixed in ReactPHP HTTP version 1.7.0. As a workaround, Infrastructure or DevOps can place a reverse proxy in front of the ReactPHP HTTP server to filter out any unexpected `Cookie` request headers.

Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.

chịu trách nhiệm

GitHub, Inc.

Đặt trước

15/07/2022

Tiết lộ

06/09/2022

Kiểm duyệt

được chấp nhận

EPSS

0.00804

KEV

không

Các hoạt động

rất thấp

Nguồn

Might our Artificial Intelligence support you?

Check our Alexa App!