it-securitynotifies AT lists.piratenpartei.de
Betreff: Sicherheitsankündigungen
Listenarchiv
[IT-SecNots] [Security-news] HTTP Client Manager - Less critical - Information disclosure - SA-CONTRIB-2025-126
Chronologisch Thread
- From: security-news AT drupal.org
- To: security-news AT drupal.org
- Subject: [IT-SecNots] [Security-news] HTTP Client Manager - Less critical - Information disclosure - SA-CONTRIB-2025-126
- Date: Wed, 17 Dec 2025 17:47:14 +0000 (UTC)
- Authentication-results: lists.piratenpartei.de; dkim=pass header.d=drupal.org header.s=default header.b=PPVRVZr3; dmarc=pass (policy=none) header.from=drupal.org; spf=pass (lists.piratenpartei.de: domain of security-news-bounces AT drupal.org designates 2605:bc80:3010::133 as permitted sender) smtp.mailfrom=security-news-bounces AT drupal.org
- Dkim-filter: OpenDKIM Filter v2.11.0 smtp2.osuosl.org 0D0F140C02
- Dkim-filter: OpenDKIM Filter v2.11.0 smtp1.osuosl.org BC58183BBA
- List-archive: <http://lists.drupal.org/pipermail/security-news/>
- List-id: <security-news.drupal.org>
View online: https://www.drupal.org/sa-contrib-2025-126
Project: HTTP Client Manager [1]
Date: 2025-December-17
Security risk: *Less critical* 8 ∕ 25
AC:Complex/A:User/CI:Some/II:None/E:Theoretical/TD:Uncommon [2]
Vulnerability: Information disclosure
Affected versions: <9.3.13 || >=10.0.0 <10.0.2 || >=11.0.0 <11.0.1
CVE IDs: CVE-2025-14840
Description:
Http Client Manager introduces a new Guzzle based plugin which allows you to
manage HTTP clients using Guzzle Service Descriptions via YAML, JSON or PHP
files, in a simple and efficient way. The modules allows administrators to
configure HTTP requests as part of Event Condition Action (ECA) automation.
The module does not sufficiently maintain separation of data from request
operations, potentially leading to information disclosure in very uncommon
situations.
Solution:
Install the latest version:
* If you use the Http Client Manager module 9.3.x, upgrade to Http Client
Manager 9.3.13 [3]
* If you use the Http Client Manager module 10.0.x, upgrade to Http Client
Manager 10.0.2 [4]
* If you use the Http Client Manager module 11.0.x, upgrade to Http Client
Manager 11.0.1 [5]
Reported By:
* mxh [6]
Fixed By:
* Adriano Cori (aronne) [7]
* mxh [8]
Coordinated By:
* Greg Knaddison (greggles) [9] of the Drupal Security Team
* Juraj Nemec (poker10) [10] of the Drupal Security Team
------------------------------------------------------------------------------
Contribution record [11]
[1] https://www.drupal.org/project/http_client_manager
[2] https://www.drupal.org/security-team/risk-levels
[3] https://www.drupal.org/project/http_client_manager/releases/9.3.13
[4] https://www.drupal.org/project/http_client_manager/releases/10.0.2
[5] https://www.drupal.org/project/http_client_manager/releases/11.0.1
[6] https://www.drupal.org/u/mxh
[7] https://www.drupal.org/u/aronne
[8] https://www.drupal.org/u/mxh
[9] https://www.drupal.org/u/greggles
[10] https://www.drupal.org/u/poker10
[11] https://new.drupal.org/contribution-record?source_link=https%3A//www.drupal.org/node/3563748
_______________________________________________
Security-news mailing list
Security-news AT drupal.org
Unsubscribe at https://lists.drupal.org/mailman/listinfo/security-news
- [IT-SecNots] [Security-news] HTTP Client Manager - Less critical - Information disclosure - SA-CONTRIB-2025-126, security-news, 17.12.2025
Archiv bereitgestellt durch MHonArc 2.6.19+.