vonage-laravel icon indicating copy to clipboard operation
vonage-laravel copied to clipboard

Published 20 hours ago verified publisher icon Vonage

vonage/client-4.0.0: 2 vulnerabilities (highest severity is: 7.5)

Open mend-for-github-com[bot] opened this issue 1 year ago • 0 comments

Vulnerable Library - vonage/client-4.0.0

Found in HEAD commit: 16c56b01c3e1dcfc5f55ba5e115f4a4aa8d69678

Vulnerabilities

CVE Severity CVSS Exploit Maturity EPSS Dependency Type Fixed in (vonage/client version) Remediation Possible** Reachability
CVE-2023-29530 High 7.5 Not Defined 0.1% laminas/laminas-diactoros-2.24.0 Transitive N/A*
CVE-2023-29197 Medium 5.3 Proof of concept 0.3% guzzlehttp/psr7-2.4.3 Transitive N/A*

*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.

**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation

Details

CVE-2023-29530

Vulnerable Library - laminas/laminas-diactoros-2.24.0

PSR HTTP Message implementations

Library home page: https://api.github.com/repos/laminas/laminas-diactoros/zipball/6028af6c3b5ced4d063a680d2483cce67578b902

Dependency Hierarchy:

  • vonage/client-4.0.0 (Root Library)
    • vonage/client-core-4.0.10
      • :x: laminas/laminas-diactoros-2.24.0 (Vulnerable Library)

Found in HEAD commit: 16c56b01c3e1dcfc5f55ba5e115f4a4aa8d69678

Found in base branch: main

Vulnerability Details

Laminas Diactoros provides PSR HTTP Message implementations. In versions 2.18.0 and prior, 2.19.0, 2.20.0, 2.21.0, 2.22.0, 2.23.0, 2.24.0, and 2.25.0, users who create HTTP requests or responses using laminas/laminas-diactoros, when providing a newline at the start or end of a header key or value, can cause an invalid message. This can lead to denial of service vectors or application errors. The problem has been patched in following versions 2.18.1, 2.19.1, 2.20.1, 2.21.1, 2.22.1, 2.23.1, 2.24.1, and 2.25.1. As a workaround, validate HTTP header keys and/or values, and if using user-supplied values, filter them to strip off leading or trailing newline characters before calling withHeader().

Publish Date: 2023-04-24

URL: CVE-2023-29530

Threat Assessment

Exploit Maturity: Not Defined

EPSS: 0.1%

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High
For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://github.com/advisories/GHSA-xv3h-4844-9h36

Release Date: 2023-04-24

Fix Resolution: 2.18.1, 2.19.1, 2.20.1, 2.21.1, 2.22.1, 2.23.1, 2.24.2, 2.25.2

CVE-2023-29197

Vulnerable Library - guzzlehttp/psr7-2.4.3

PSR-7 message implementation that also provides common utility methods

Library home page: https://api.github.com/repos/guzzle/psr7/zipball/67c26b443f348a51926030c83481b85718457d3d

Dependency Hierarchy:

  • vonage/client-4.0.0 (Root Library)
    • guzzlehttp/guzzle-7.5.0
      • :x: guzzlehttp/psr7-2.4.3 (Vulnerable Library)

Found in HEAD commit: 16c56b01c3e1dcfc5f55ba5e115f4a4aa8d69678

Found in base branch: main

Vulnerability Details

guzzlehttp/psr7 is a PSR-7 HTTP message library implementation in PHP. Affected versions are subject to improper header parsing. An attacker could sneak in a newline (\n) into both the header names and values. While the specification states that \r\n\r\n is used to terminate the header list, many servers in the wild will also accept \n\n. This is a follow-up to CVE-2022-24775 where the fix was incomplete. The issue has been patched in versions 1.9.1 and 2.4.5. There are no known workarounds for this vulnerability. Users are advised to upgrade.

Publish Date: 2023-04-17

URL: CVE-2023-29197

Threat Assessment

Exploit Maturity: Proof of concept

EPSS: 0.3%

CVSS 3 Score Details (5.3)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: Low
    • Availability Impact: None
For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://github.com/guzzle/psr7/security/advisories/GHSA-wxmh-65f7-jcvw

Release Date: 2023-04-17

Fix Resolution: 1.9.1,2.4.5

mend-for-github-com[bot] avatar Apr 25 '24 15:04 mend-for-github-com[bot]