{"id":"UBUNTU-CVE-2022-31090","details":"Guzzle, an extensible PHP HTTP client. `Authorization` headers on requests are sensitive information. In affected versions when using our Curl handler, it is possible to use the `CURLOPT_HTTPAUTH` option to specify an `Authorization` header. On making a request which responds with a redirect to a URI with a different origin (change in host, scheme or port), if we choose to follow it, we should remove the `CURLOPT_HTTPAUTH` option before continuing, stopping curl from appending the `Authorization` header to the new request. Affected Guzzle 7 users should upgrade to Guzzle 7.4.5 as soon as possible. Affected users using any earlier series of Guzzle should upgrade to Guzzle 6.5.8 or 7.4.5. Note that a partial fix was implemented in Guzzle 7.4.2, where a change in host would trigger removal of the curl-added Authorization header, however this earlier fix did not cover change in scheme or change in port. If you do not require or expect redirects to be followed, one should simply disable redirects all together. Alternatively, one can specify to use the Guzzle steam handler backend, rather than curl.","modified":"2026-04-27T17:37:29.413826Z","published":"2022-06-27T22:15:00Z","upstream":["CVE-2022-31090"],"references":[{"type":"REPORT","url":"https://ubuntu.com/security/CVE-2022-31090"},{"type":"REPORT","url":"https://github.com/guzzle/guzzle/security/advisories/GHSA-25mq-v84q-4j7r"},{"type":"REPORT","url":"https://github.com/guzzle/guzzle/commit/1dd98b0564cb3f6bd16ce683cb755f94c10fbd82"},{"type":"REPORT","url":"https://github.com/guzzle/guzzle/commit/1dd98b0564cb3f6bd16ce683cb755f94c10fbd82"},{"type":"REPORT","url":"https://www.cve.org/CVERecord?id=CVE-2022-31090"}],"affected":[{"package":{"name":"civicrm","ecosystem":"Ubuntu:16.04:LTS","purl":"pkg:deb/ubuntu/civicrm@4.7.1+dfsg-2ubuntu1?arch=source&distro=xenial"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"}]}],"versions":["4.7.1+dfsg-1","4.7.1+dfsg-2","4.7.1+dfsg-2ubuntu1"],"ecosystem_specific":{"binaries":[{"binary_version":"4.7.1+dfsg-2ubuntu1","binary_name":"civicrm-common"},{"binary_version":"4.7.1+dfsg-2ubuntu1","binary_name":"civicrm-l10n"},{"binary_version":"4.7.1+dfsg-2ubuntu1","binary_name":"drupal7-mod-civicrm"},{"binary_version":"4.7.1+dfsg-2ubuntu1","binary_name":"wordpress-civicrm"}]},"database_specific":{"source":"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2022/UBUNTU-CVE-2022-31090.json"}},{"package":{"name":"civicrm","ecosystem":"Ubuntu:18.04:LTS","purl":"pkg:deb/ubuntu/civicrm@4.7.30+dfsg-1ubuntu1?arch=source&distro=bionic"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"}]}],"versions":["4.7.23+dfsg-1ubuntu1","4.7.24+dfsg-1ubuntu1","4.7.30+dfsg-1ubuntu1"],"ecosystem_specific":{"binaries":[{"binary_version":"4.7.30+dfsg-1ubuntu1","binary_name":"civicrm-common"},{"binary_version":"4.7.30+dfsg-1ubuntu1","binary_name":"civicrm-l10n"},{"binary_version":"4.7.30+dfsg-1ubuntu1","binary_name":"wordpress-civicrm"}]},"database_specific":{"source":"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2022/UBUNTU-CVE-2022-31090.json"}},{"package":{"name":"mediawiki","ecosystem":"Ubuntu:18.04:LTS","purl":"pkg:deb/ubuntu/mediawiki@1:1.27.4-3?arch=source&distro=bionic"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"}]}],"versions":["1:1.27.3-1","1:1.27.4-1","1:1.27.4-2","1:1.27.4-3"],"ecosystem_specific":{"binaries":[{"binary_version":"1:1.27.4-3","binary_name":"mediawiki"},{"binary_version":"1:1.27.4-3","binary_name":"mediawiki-classes"}]},"database_specific":{"source":"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2022/UBUNTU-CVE-2022-31090.json"}},{"package":{"name":"civicrm","ecosystem":"Ubuntu:20.04:LTS","purl":"pkg:deb/ubuntu/civicrm@5.21.2+dfsg-1?arch=source&distro=focal"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"}]}],"versions":["5.11.0+dfsg-1","5.18.1+dfsg-1","5.20.3+dfsg-1","5.21.0+dfsg-1","5.21.1+dfsg-1","5.21.2+dfsg-1"],"ecosystem_specific":{"binaries":[{"binary_version":"5.21.2+dfsg-1","binary_name":"civicrm-common"},{"binary_version":"5.21.2+dfsg-1","binary_name":"civicrm-l10n"},{"binary_version":"5.21.2+dfsg-1","binary_name":"wordpress-civicrm"}]},"database_specific":{"source":"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2022/UBUNTU-CVE-2022-31090.json"}},{"package":{"name":"mediawiki","ecosystem":"Ubuntu:20.04:LTS","purl":"pkg:deb/ubuntu/mediawiki@1:1.31.7-1?arch=source&distro=focal"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"}]}],"versions":["1:1.31.2-1ubuntu1","1:1.31.5-1","1:1.31.5-1ubuntu1","1:1.31.5-2","1:1.31.5-3","1:1.31.5-3ubuntu1","1:1.31.6-1","1:1.31.7-1"],"ecosystem_specific":{"binaries":[{"binary_version":"1:1.31.7-1","binary_name":"mediawiki"},{"binary_version":"1:1.31.7-1","binary_name":"mediawiki-classes"}]},"database_specific":{"source":"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2022/UBUNTU-CVE-2022-31090.json"}},{"package":{"name":"civicrm","ecosystem":"Ubuntu:22.04:LTS","purl":"pkg:deb/ubuntu/civicrm@5.33.2+dfsg1-1ubuntu1?arch=source&distro=jammy"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"}]}],"versions":["5.33.2+dfsg1-1","5.33.2+dfsg1-1build1","5.33.2+dfsg1-1ubuntu1"],"ecosystem_specific":{"binaries":[{"binary_version":"5.33.2+dfsg1-1ubuntu1","binary_name":"civicrm-common"},{"binary_version":"5.33.2+dfsg1-1ubuntu1","binary_name":"civicrm-l10n"},{"binary_version":"5.33.2+dfsg1-1ubuntu1","binary_name":"wordpress-civicrm"}]},"database_specific":{"source":"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2022/UBUNTU-CVE-2022-31090.json"}},{"package":{"name":"icinga-php-thirdparty","ecosystem":"Ubuntu:22.04:LTS","purl":"pkg:deb/ubuntu/icinga-php-thirdparty@0.10.0-1?arch=source&distro=jammy"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"}]}],"versions":["0.10.0-1"],"ecosystem_specific":{"binaries":[{"binary_version":"0.10.0-1","binary_name":"icinga-php-thirdparty"}]},"database_specific":{"source":"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2022/UBUNTU-CVE-2022-31090.json"}},{"package":{"name":"icingaweb2-module-reactbundle","ecosystem":"Ubuntu:22.04:LTS","purl":"pkg:deb/ubuntu/icingaweb2-module-reactbundle@0.9.0-1?arch=source&distro=jammy"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"}]}],"versions":["0.8.0-1.1","0.9.0-1"],"ecosystem_specific":{"binaries":[{"binary_version":"0.9.0-1","binary_name":"icingaweb2-module-reactbundle"}]},"database_specific":{"source":"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2022/UBUNTU-CVE-2022-31090.json"}},{"package":{"name":"mediawiki","ecosystem":"Ubuntu:22.04:LTS","purl":"pkg:deb/ubuntu/mediawiki@1:1.35.6-1?arch=source&distro=jammy"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"}]}],"versions":["1:1.35.3-1","1:1.35.4-1","1:1.35.5-1","1:1.35.5-1ubuntu1","1:1.35.5-1ubuntu2","1:1.35.5-1ubuntu3","1:1.35.6-1"],"ecosystem_specific":{"binaries":[{"binary_version":"1:1.35.6-1","binary_name":"mediawiki"},{"binary_version":"1:1.35.6-1","binary_name":"mediawiki-classes"}]},"database_specific":{"source":"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2022/UBUNTU-CVE-2022-31090.json"}},{"package":{"name":"icinga-php-thirdparty","ecosystem":"Ubuntu:24.04:LTS","purl":"pkg:deb/ubuntu/icinga-php-thirdparty@0.12.1+ds-1?arch=source&distro=noble"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"}]}],"versions":["0.11.0-2","0.12.0+ds-1","0.12.1+ds-1"],"ecosystem_specific":{"binaries":[{"binary_version":"0.12.1+ds-1","binary_name":"icinga-php-thirdparty"}]},"database_specific":{"source":"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2022/UBUNTU-CVE-2022-31090.json"}},{"package":{"name":"icingaweb2-module-reactbundle","ecosystem":"Ubuntu:24.04:LTS","purl":"pkg:deb/ubuntu/icingaweb2-module-reactbundle@0.9.0-1?arch=source&distro=noble"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"}]}],"versions":["0.9.0-1"],"ecosystem_specific":{"binaries":[{"binary_version":"0.9.0-1","binary_name":"icingaweb2-module-reactbundle"}]},"database_specific":{"source":"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2022/UBUNTU-CVE-2022-31090.json"}},{"package":{"name":"icinga-php-thirdparty","ecosystem":"Ubuntu:25.10","purl":"pkg:deb/ubuntu/icinga-php-thirdparty@0.12.1+ds-1?arch=source&distro=questing"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"}]}],"versions":["0.12.1+ds-1"],"ecosystem_specific":{"binaries":[{"binary_version":"0.12.1+ds-1","binary_name":"icinga-php-thirdparty"}]},"database_specific":{"source":"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2022/UBUNTU-CVE-2022-31090.json"}},{"package":{"name":"icingaweb2-module-reactbundle","ecosystem":"Ubuntu:25.10","purl":"pkg:deb/ubuntu/icingaweb2-module-reactbundle@0.9.0-1?arch=source&distro=questing"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"}]}],"versions":["0.9.0-1"],"ecosystem_specific":{"binaries":[{"binary_version":"0.9.0-1","binary_name":"icingaweb2-module-reactbundle"}]},"database_specific":{"source":"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2022/UBUNTU-CVE-2022-31090.json"}},{"package":{"name":"icinga-php-thirdparty","ecosystem":"Ubuntu:26.04","purl":"pkg:deb/ubuntu/icinga-php-thirdparty@0.14.0+ds-1?arch=source&distro=resolute"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"}]}],"versions":["0.12.1+ds-1","0.13.1+ds-1","0.14.0+ds-1"],"ecosystem_specific":{"binaries":[{"binary_version":"0.14.0+ds-1","binary_name":"icinga-php-thirdparty"}]},"database_specific":{"source":"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2022/UBUNTU-CVE-2022-31090.json"}},{"package":{"name":"icingaweb2-module-reactbundle","ecosystem":"Ubuntu:26.04","purl":"pkg:deb/ubuntu/icingaweb2-module-reactbundle@0.9.0-1build1?arch=source&distro=resolute"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"}]}],"versions":["0.9.0-1","0.9.0-1build1"],"ecosystem_specific":{"binaries":[{"binary_version":"0.9.0-1build1","binary_name":"icingaweb2-module-reactbundle"}]},"database_specific":{"source":"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2022/UBUNTU-CVE-2022-31090.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N"},{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N"},{"type":"Ubuntu","score":"medium"}]}