You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
guzzlehttp/psr7 is a PSR-7 HTTP message library. Versions prior to 1.8.4 and 2.1.1 are vulnerable to improper header parsing. An attacker could sneak in a new line character and pass untrusted values. The issue is patched in 1.8.4 and 2.1.1. There are currently no known workarounds.
AWS SDK for PHP is the Amazon Web Services software development kit for PHP. Within the scope of requests to S3 object keys and/or prefixes containing a Unix double-dot, a URI path traversal is possible. The issue exists in the buildEndpoint method in the RestSerializer component of the AWS SDK for PHP v3 prior to 3.288.1. The buildEndpoint method relies on the Guzzle Psr7 UriResolver utility, which strips dot segments from the request path in accordance with RFC 3986. Under certain conditions, this could lead to an arbitrary object being accessed. This issue has been patched in version 3.288.1.
mend-for-github-combot
changed the title
aws/aws-sdk-php-3.139.1: 6 vulnerabilities (highest severity is: 8.1)
aws/aws-sdk-php-3.139.1: 1 vulnerabilities (highest severity is: 7.5)
Jan 6, 2023
mend-for-github-combot
changed the title
aws/aws-sdk-php-3.139.1: 1 vulnerabilities (highest severity is: 7.5)
aws/aws-sdk-php-3.139.1: 1 vulnerabilities (highest severity is: 7.5) - autoclosed
Jan 8, 2023
✔️ This issue was automatically closed by Mend because the vulnerable library in the specific branch(es) was either marked as ignored or it is no longer part of the Mend inventory.
mend-for-github-combot
changed the title
aws/aws-sdk-php-3.139.1: 1 vulnerabilities (highest severity is: 7.5) - autoclosed
aws/aws-sdk-php-3.139.1: 1 vulnerabilities (highest severity is: 7.5)
Oct 12, 2023
ℹ️ This issue was automatically re-opened by Mend because the vulnerable library in the specific branch(es) has been detected in the Mend inventory.
mend-for-github-combot
changed the title
aws/aws-sdk-php-3.139.1: 1 vulnerabilities (highest severity is: 7.5)
aws/aws-sdk-php-3.139.1: 2 vulnerabilities (highest severity is: 7.5)
Dec 25, 2023
mend-for-github-combot
changed the title
aws/aws-sdk-php-3.139.1: 2 vulnerabilities (highest severity is: 7.5)
aws/aws-sdk-php-3.139.1: 3 vulnerabilities (highest severity is: 7.5)
Mar 3, 2024
Vulnerable Library - aws/aws-sdk-php-3.139.1
AWS SDK for PHP - Use Amazon Web Services in your PHP project
Library home page: https://api.github.com/repos/aws/aws-sdk-php/zipball/31fc7fc73d550e237b34f7c6802250fd4ade9a01
Found in HEAD commit: a98b02cc6219479db20e92032a8c3cb68016cfdb
Vulnerabilities
*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Details
CVE-2022-24775
Vulnerable Library - guzzlehttp/psr7-1.6.1
PSR-7 HTTP message library
Dependency Hierarchy:
Found in HEAD commit: a98b02cc6219479db20e92032a8c3cb68016cfdb
Found in base branch: main
Vulnerability Details
guzzlehttp/psr7 is a PSR-7 HTTP message library. Versions prior to 1.8.4 and 2.1.1 are vulnerable to improper header parsing. An attacker could sneak in a new line character and pass untrusted values. The issue is patched in 1.8.4 and 2.1.1. There are currently no known workarounds.
Publish Date: 2022-03-21
URL: CVE-2022-24775
CVSS 3 Score Details (7.5)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: GHSA-q7rv-6hp3-vh96
Release Date: 2022-03-21
Fix Resolution: 1.8.4,2.1.1
CVE-2022-23395
Vulnerable Library - aws/aws-sdk-php-3.139.1
AWS SDK for PHP - Use Amazon Web Services in your PHP project
Library home page: https://api.github.com/repos/aws/aws-sdk-php/zipball/31fc7fc73d550e237b34f7c6802250fd4ade9a01
Dependency Hierarchy:
Found in HEAD commit: a98b02cc6219479db20e92032a8c3cb68016cfdb
Found in base branch: main
Vulnerability Details
jQuery Cookie 1.4.1 is affected by prototype pollution, which can lead to DOM cross-site scripting (XSS).
Publish Date: 2022-03-02
URL: CVE-2022-23395
CVSS 3 Score Details (6.1)
Base Score Metrics:
CVE-2023-51651
Vulnerable Library - aws/aws-sdk-php-3.139.1
AWS SDK for PHP - Use Amazon Web Services in your PHP project
Library home page: https://api.github.com/repos/aws/aws-sdk-php/zipball/31fc7fc73d550e237b34f7c6802250fd4ade9a01
Dependency Hierarchy:
Found in HEAD commit: a98b02cc6219479db20e92032a8c3cb68016cfdb
Found in base branch: main
Vulnerability Details
AWS SDK for PHP is the Amazon Web Services software development kit for PHP. Within the scope of requests to S3 object keys and/or prefixes containing a Unix double-dot, a URI path traversal is possible. The issue exists in the
buildEndpoint
method in the RestSerializer component of the AWS SDK for PHP v3 prior to 3.288.1. ThebuildEndpoint
method relies on the Guzzle Psr7 UriResolver utility, which strips dot segments from the request path in accordance with RFC 3986. Under certain conditions, this could lead to an arbitrary object being accessed. This issue has been patched in version 3.288.1.Publish Date: 2023-12-22
URL: CVE-2023-51651
CVSS 3 Score Details (6.0)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://www.cve.org/CVERecord?id=CVE-2023-51651
Release Date: 2023-12-22
Fix Resolution: 3.288.1
The text was updated successfully, but these errors were encountered: