CVE-2022-31043: 
PHP vulnerability analysis and mitigation

CVE-2022-31043 affects Guzzle, an open source PHP HTTP client. The vulnerability was discovered in June 2022 and involves the improper handling of Authorization headers during HTTPS to HTTP downgrades. In affected versions (Guzzle versions < 6.5.7 and < 7.4.4), when making a request using HTTPS scheme to a server that responds with a redirect to an HTTP scheme URI, the Authorization header was not properly removed from the forwarded request (GitHub Advisory).

The vulnerability stems from a security flaw in the redirect handling mechanism. Prior to the fix, while Guzzle would remove the Authorization header when the host changed during a redirect, it failed to do so during HTTPS to HTTP downgrades. The vulnerability has a CVSS score of 7.5 (High) with the vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N, indicating network accessibility, low attack complexity, no privileges required, no user interaction needed, and potential for high confidentiality impact (SecMaster).

The vulnerability could allow remote attackers to gain access to sensitive information through the exposure of Authorization headers. This is particularly concerning when requests are downgraded from HTTPS to HTTP, as the Authorization header containing sensitive authentication credentials could be exposed to unauthorized parties (GitHub Advisory).

Users of Guzzle 7 should upgrade to version 7.4.4, while users of earlier versions should upgrade to either version 6.5.7 or 7.4.4. For users unable to upgrade, alternative approaches include using their own redirect middleware or disabling redirects altogether if they are not required. The vulnerability has also been addressed in various dependent systems, such as Drupal versions 9.2.21, 9.3.16, and 9.4.0-rc2 (GitHub Advisory).