CVE-2022-31090: 
PHP vulnerability analysis and mitigation

Guzzle, an extensible PHP HTTP client, was found to have a security vulnerability (CVE-2022-31090) related to the handling of authorization headers during redirects. The vulnerability was discovered and disclosed on June 20, 2022, affecting versions <=6.5.7 and >=7.0.0,<=7.4.4 (GitHub Advisory).

The vulnerability occurs when using the Curl handler with CURLOPTHTTPAUTH option. When a request responds with a redirect to a URI with a different origin, the CURLOPTHTTPAUTH and CURLOPT_USERPWD options were not properly cleared before following the redirect. Previously, only changes in host were considered, but the vulnerability showed that changes in host, port, or scheme should all be treated as changes in origin that require clearing these sensitive authentication options (GitHub Advisory).

The vulnerability could lead to unauthorized disclosure of sensitive authentication information. When following redirects to different origins, the authorization headers, which contain sensitive information, could be inappropriately forwarded to the new destination (GitHub Advisory).

Users are advised to upgrade to Guzzle version 7.4.5 or 6.5.8, which contain the security fix. For those unable to upgrade immediately, two workarounds are available: either disable redirects completely if they are not required, or use the Guzzle stream handler backend instead of curl (GitHub Advisory).