<div dir="ltr">View online: <a href="https://www.drupal.org/sa-core-2022-010" rel="noreferrer" target="_blank">https://www.drupal.org/sa-core-2022-010</a><br><br>Project: Drupal core [1]<br>Date: 2022-May-25<br>Security risk: *Moderately critical* 13∕25<br>AC:Complex/A:None/CI:Some/II:Some/E:Theoretical/TD:Uncommon [2]<br>Vulnerability: Third-party libraries<br><br>CVE IDs: CVE-2022-29248<br>Description: <br>Drupal uses the third-party Guzzle library for handling HTTP requests and<br>responses to external services. Guzzle has released a security update [3]<br>which does not affect Drupal core, but may affect some contributed projects<br>or custom code on Drupal sites.<br><br>We are issuing this security advisory outside our regular Drupal security<br>release window schedule [4] since Guzzle has already published information<br>about the vulnerability, and vulnerabilities might exist in contributed<br>modules or custom modules that use Guzzle for outgoing requests. Guzzle has<br>rated this vulnerability as high-risk.<br><br>This advisory is not covered by Drupal Steward.<br><br>Solution: <br>Install the latest version:<br><br>   * If you are using Drupal 9.3, update to Drupal 9.3.14 [5].<br>   * If you are using Drupal 9.2, update to Drupal 9.2.20 [6].<br><br>All versions of Drupal 9 prior to 9.2.x are end-of-life and do not receive<br>security coverage. Note that Drupal 8 has reached its end of life [7].<br><br>Drupal 7 is not affected.<br><br>Reported By: <br>   * Dezső BICZÓ [8]<br>   * mayela [9]<br><br>Fixed By: <br>   * cilefen  [10] of the Drupal Security Team<br>   * Jess  [11] of the Drupal Security Team<br>   * Dezső BICZÓ [12]<br>   * Greg Knaddison [13] of the Drupal Security Team<br>   * Benji Fisher [14], provisional member of the Drupal Security Team<br>   * Damien McKenna [15] of the Drupal Security Team<br>   * Alex Pott [16] of the Drupal Security Team<br><br><br>[1] <a href="https://www.drupal.org/project/drupal" rel="noreferrer" target="_blank">https://www.drupal.org/project/drupal</a><br>[2] <a href="https://www.drupal.org/security-team/risk-levels" rel="noreferrer" target="_blank">https://www.drupal.org/security-team/risk-levels</a><br>[3] <a href="https://github.com/guzzle/guzzle/security/advisories/GHSA-cwmx-hcrq-mhc3" rel="noreferrer" target="_blank">https://github.com/guzzle/guzzle/security/advisories/GHSA-cwmx-hcrq-mhc3</a><br>[4] <a href="https://www.drupal.org/node/1173280" rel="noreferrer" target="_blank">https://www.drupal.org/node/1173280</a><br>[5] <a href="https://www.drupal.org/project/drupal/releases/9.3.9" rel="noreferrer" target="_blank">https://www.drupal.org/project/drupal/releases/9.3.9</a><br>[6] <a href="https://www.drupal.org/project/drupal/releases/9.2.20" rel="noreferrer" target="_blank">https://www.drupal.org/project/drupal/releases/9.2.20</a><br>[7] <a href="https://www.drupal.org/psa-2021-06-29" rel="noreferrer" target="_blank">https://www.drupal.org/psa-2021-06-29</a><br>[8] <a href="https://www.drupal.org/user/315522" rel="noreferrer" target="_blank">https://www.drupal.org/user/315522</a><br>[9] <a href="https://www.drupal.org/user/3351026" rel="noreferrer" target="_blank">https://www.drupal.org/user/3351026</a><br>[10] <a href="https://www.drupal.org/user/1850070" rel="noreferrer" target="_blank">https://www.drupal.org/user/1850070</a><br>[11] <a href="https://www.drupal.org/user/65776" rel="noreferrer" target="_blank">https://www.drupal.org/user/65776</a><br>[12] <a href="https://www.drupal.org/user/315522" rel="noreferrer" target="_blank">https://www.drupal.org/user/315522</a><br>[13] <a href="https://www.drupal.org/user/36762" rel="noreferrer" target="_blank">https://www.drupal.org/user/36762</a><br>[14] <a href="https://www.drupal.org/user/683300" rel="noreferrer" target="_blank">https://www.drupal.org/user/683300</a><br>[15] <a href="https://www.drupal.org/user/108450" rel="noreferrer" target="_blank">https://www.drupal.org/user/108450</a><br>[16] <a href="https://www.drupal.org/user/157725" rel="noreferrer" target="_blank">https://www.drupal.org/user/157725</a><br><br>_______________________________________________<br>Security-news mailing list<br><a href="mailto:Security-news@drupal.org" target="_blank">Security-news@drupal.org</a><br>Unsubscribe at <a href="https://lists.drupal.org/mailman/listinfo/security-news" rel="noreferrer" target="_blank">https://lists.drupal.org/mailman/listinfo/security-news</a><br clear="all"><div><div dir="ltr" class="gmail_signature" data-smartmail="gmail_signature"><div dir="ltr"><div>===</div><div>Computer Security Incident Response Team - CSIRT</div><div>Universidade Estadual de Campinas - Unicamp</div><div>Centro de Computacao - CCUEC</div><div>GnuPG Public Key: <a href="http://www.security.unicamp.br/security.asc" target="_blank">http://www.security.unicamp.br/security.asc</a> [^]</div><div>Contato: +55 19 3521-2289 ou INOC-DBA: 1251*830</div></div></div></div></div>