=====================================================================

                              CERT-Renater

                  Note d'Information No. 2022/VULN322

_____________________________________________________________________

DATE                : 12/09/2022

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running react/http (Composer) versions
                                 prior to 1.7.0.

=====================================================================
https://github.com/reactphp/http/security/advisories/GHSA-w3w9-vrf5-8mx8
_____________________________________________________________________

ReactPHP's HTTP server parses encoded cookie names so malicious 
`__Host-` and `__Secure-` cookies can be sent

Moderate	WyriHaximus published GHSA-w3w9-vrf5-8mx8

Package
  react/http (Composer)

Affected versions
>= 0.7.0, < 1.7.0

Patched versions
1.7.0


Description

Impact

In ReactPHP's HTTP server component versions below v1.7.0, when
ReactPHP is processing incoming HTTP cookie values, the cookie
names are url-decoded. This may lead to cookies with prefixes
like __Host- and __Secure- confused with cookies that decode to
such prefix, thus leading to an attacker being able to forge
cookie which is supposed to be secure. See also CVE-2020-7070
and CVE-2020-8184 for more information.


Patches

663c9a3 - Fixed in reactphp/http v1.7.0


Workarounds

Infrastructure or DevOps can place a reverse proxy in front of the
ReactPHP HTTP server to filter out any unexpected Cookie request
headers.


References

CVE-2020-7070, https://bugs.php.net/bug.php?id=79699 and php/php-src@6559fe9

CVE-2020-8184, https://hackerone.com/reports/895727 and rack/rack@1f5763d

Originally introduced via #175


Credits

Thanks to Marco Squarcina (TU Wien) for reporting this and working
with us to coordinate this security advisory


For more information

If you have any questions or comments about this advisory:

Join the discussion
Email us at support@reactphp.org


Severity
Moderate

5.3/ 10

CVSS base metrics

Attack vector
Network

Attack complexity
Low

Privileges required
None

User interaction
None

Scope
Unchanged

Confidentiality
None

Integrity
Low

Availability
None

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

CVE ID
CVE-2022-36032

Weaknesses
No CWEs

Credits
@lavish lavish


=========================================================
+ CERT-RENATER        |    tel : 01-53-94-20-44         +
+ 23/25 Rue Daviel    |    fax : 01-53-94-20-41         +
+ 75013 Paris         |   email:cert@support.renater.fr +
=========================================================