Cyber Resilience

CVE-2023-29197

Medium

Published: 17 April 2023

Published
17 April 2023
Modified
21 November 2024
KEV Added
Patch
CVSS Score v3.1 5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
EPSS Score 0.0478 89.7th percentile
Risk Priority 13 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2023-29197 is a medium-severity Interpretation Conflict (CWE-436) vulnerability in Guzzlephp Psr-7. Its CVSS base score is 5.3 (Medium).

Operationally, ranked in the top 10.3% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

EU & UK References

Vulnerability details

guzzlehttp/psr7 is a PSR-7 HTTP message library implementation in PHP. Affected versions are subject to improper header parsing. An attacker could sneak in a newline (\n) into both the header names and values. While the specification states that \r\n\r\n is…

more

used to terminate the header list, many servers in the wild will also accept \n\n. This is a follow-up to CVE-2022-24775 where the fix was incomplete. The issue has been patched in versions 1.9.1 and 2.4.5. There are no known workarounds for this vulnerability. Users are advised to upgrade.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

guzzlephp
psr-7
≤ 1.9.1 · 2.0.0 — 2.4.5
fedoraproject
fedora
37, 38

Mitigating Controls

No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.

References