Drupal 9 Core with Moderately Critical Vulnerability in Guzzle Library 

The Drupal Security Team announced on March 21, 2022, a moderately critical vulnerability in Drupal 9 Core third party library SA-CORE-2022-006. The vulnerability is classified moderately critical based on the  11∕25 AC:Complex/A:None/CI:None/II:Some/E:Theoretical/TD:Default status.

Drupal uses the third-party Guzzle library for handling HTTP requests and responses to external services. Guzzle released a security update, CVE-2022-24775 that can affect some Drupal sites.

The Drupal Security Team announced they were issuing this security advisory outside the regular Drupal security release window schedule since Guzzle has already published information about the vulnerability, and vulnerabilities might exist with core, contributed modules, or custom modules that use Guzzle for outgoing requests. Guzzle has rated this vulnerability as low-risk.

The issue was reported by Jeroen Tubex, Technical lead at IO, and Damien McKenna of the Drupal Security Team and was fixed by Jess, Alex Pott, Lee Rowlands, Greg Knaddison, and Peter Wolanin of the Drupal Security Team.

Solution:

The recommendation is to install the latest version. For Drupal 9.3 users, update to Drupal 9.3.9 and Drupal 9.2 users are advised to update to Drupal 9.2.16.

Note: Drupal 7 is not affected. This advisory is not covered by Drupal Steward. In both Drupal 9.3.9 & Drupal 9.2.10 releases no changes have been made to the .htaccess, web.config, robots.txt, or default settings.php files, so updating custom versions of those files is not necessary if your site is already on the previous release.

Source: https://www.drupal.org/sa-core-2022-006

Note: The vision of this web portal is to help promote news and stories around the Drupal community and promote and celebrate the people and organizations in the community. We strive to create and distribute our content based on these content policy. If you see any omission/variation on this please let us know in the comments below and we will try to address the issue as best we can.

Advertisement Here

Call for Support