CVE-2022-24737 (Medium) detected in httpie-0.2.0.tar.gz

[mend-for-github-com]

CVE-2022-24737 - Medium Severity Vulnerability

Vulnerable Library - httpie-0.2.0.tar.gz

HTTPie - a CLI, cURL-like tool for humans.

Library home page: https://files.pythonhosted.org/packages/37/ad/b2ce98d7db29eb071deea837f5fe8e382e81f27fb81fc77862a1d5f3fbac/httpie-0.2.0.tar.gz

Path to dependency file: /folder2/requirements.txt

Path to vulnerable library: /folder2/requirements.txt

Dependency Hierarchy:

• ❌ httpie-0.2.0.tar.gz (Vulnerable Library)

Found in HEAD commit: 791b04c3cb959033a8316d3a840e94c302f01243

Found in base branch: master

Vulnerability Details

HTTPie is a command-line HTTP client. HTTPie has the practical concept of sessions, which help users to persistently store some of the state that belongs to the outgoing requests and incoming responses on the disk for further usage. Before 3.1.0, HTTPie didn‘t distinguish between cookies and hosts they belonged. This behavior resulted in the exposure of some cookies when there are redirects originating from the actual host to a third party website. Users are advised to upgrade. There are no known workarounds.

Publish Date: 2022-03-07

URL: CVE-2022-24737

CVSS 3 Score Details (6.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: None
  • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-9w4w-cpc8-h2fq

Release Date: 2022-03-07

Fix Resolution: httpie - 3.1.0

---

⛑️ Automatic Remediation is available for this issue