Description

HTTPie is a command-line HTTP client. HTTPie has the practical concept of sessions, which help users to persistently store some of the state that belongs to the outgoing requests and incoming responses on the disk for further usage. Before 3.1.0, HTTPie didn‘t distinguish between cookies and hosts they belonged. This behavior resulted in the exposure of some cookies when there are redirects originating from the actual host to a third party website. Users are advised to upgrade. There are no known workarounds.

Related CPE's

a

httpie

httpie

Vulnerable

o

fedoraproject

fedora

3

References

https://github.com/httpie/httpie/commit/65ab7d5caaaf2f95e61f9dd65441801c2ddee38b

PatchThird Party Advisory

https://github.com/httpie/httpie/releases/tag/3.1.0

Release NotesThird Party Advisory

https://github.com/httpie/httpie/security/advisories/GHSA-9w4w-cpc8-h2fq

ExploitThird Party Advisory

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4QZD2AZOL7XLNZVAV6GDNXYU6MFRU5RS/

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/R5VYSYKEKVZEVEBIWAADGDXG4Y3EWCQ3/

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/TXFCHGTW3V32GD6GXXJZE5QAOSDT3RTY/

Weaknesses

[email protected]

Primary
CWE-200

CVSS impact metrics

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N

6.5 · Medium

  • CVSS V3.1

  • CVSS V3.0

  • CVSS V2.0

Information

Source identifier

[email protected]

Vulnerability status

Modified

Published

2022-03-07T23:15:07.817

3 years ago

Last modified

2023-11-07T03:44:35.360

1 year ago