platform
platform copied to clipboard
oroinc
Package guzzlehttp/guzzle 7.4.4 suffers vulnerabilities CVE-2022-31090 and CVE-2022-31091.
Summary
The 5.0 branch of oro/platform is installed with the v7.4.4 of package guzzlehttp/guzzle.
Or this version is affected by vulnerabilities CVE-2022-31090 and CVE-2022-31091.
It is recommanded to upgrade to v7.4.5
Steps to reproduce
First, install local-php-security-checker (see https://github.com/fabpot/local-php-security-checker)
git clone [email protected]:oroinc/platform.git
composer install
local-php-security-checker
Actual Result
Symfony Security Check Report
=============================
1 package has known vulnerabilities.
guzzlehttp/guzzle (7.4.4)
-------------------------
* [CVE-2022-31090][]: CURLOPT_HTTPAUTH option not cleared on change of origin
* [CVE-2022-31091][]: Change in port should be considered a change in origin
[CVE-2022-31090]: https://github.com/guzzle/guzzle/security/advisories/GHSA-25mq-v84q-4j7r
[CVE-2022-31091]: https://github.com/guzzle/guzzle/security/advisories/GHSA-q559-8m2m-g699
Note that this checker can only detect vulnerabilities that are referenced in the security advisories database.
Execute this command regularly to check the newly discovered vulnerabilities.
Expected Result
Symfony Security Check Report
=============================
No packages have known vulnerabilities.
Note that this checker can only detect vulnerabilities that are referenced in the security advisories database.
Execute this command regularly to check the newly discovered vulnerabilities.
Details about your environment
- OroPlatform version: 5.0.5
- PHP version: 8.0
- Database (MySQL, PostgreSQL) - Not installad
- Server operating system Ubuntu 64-bit
Additional information
I tested that these lines in composer.json should be updated :
"guzzlehttp/guzzle": ">=7.4.5 <7.5.0",
"guzzlehttp/psr7": "~1.9.0",
Disclaimer : I did not run unit tests, nor functionnal tests.
Thank you for the report. The next patch release will include the fix. The internal ticket id is BAP-21447.
