The Drupal security team has issued a “moderately critical” advisory to draw attention to major flaws in a third-party library, warning that hackers might use the flaws to take control of Drupal-powered sites remotely.
Guzzle, a third-party library that Drupal uses to handle HTTP requests and answers to external services, was detected and fixed with the vulnerabilities CVE-2022-31042 and CVE-2022-31043.
According to a Drupal advisory, “they do not affect Drupal core, but may affect some contributed projects or custom code on Drupal sites.” Guzzle published independent advisories describing the flaws as a failure to strip the Cookie header on a change in host or HTTP downgrade, as well as a failure to extract the Authorization header on an HTTP downgrade.
Read More: https://www.securityweek.com/drupal-patches-high-risk-third-party-library-flaws