CVE-2019-10751

NameCVE-2019-10751
DescriptionAll versions of the HTTPie package prior to version 1.0.3 are vulnerable to Open Redirect that allows an attacker to write an arbitrary file with supplied filename and content to the current directory, by redirecting a request from HTTP to a crafted URL pointing to a server in his or hers control.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
ReferencesDLA-1937-1
Debian Bugs940058

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
httpie (PTS)jessie, jessie (lts)0.8.0-1+deb8u1fixed
stretch0.9.8-1vulnerable
buster0.9.8-2vulnerable
bullseye2.2.0-2fixed
bookworm3.2.1-1fixed
sid, trixie3.2.2-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
httpiesourcewheezy(unfixed)end-of-life
httpiesourcejessie0.8.0-1+deb8u1DLA-1937-1
httpiesource(unstable)1.0.3-1940058

Notes

[buster] - httpie <no-dsa> (Minor issue)
[stretch] - httpie <no-dsa> (Minor issue)
https://snyk.io/vuln/SNYK-PYTHON-HTTPIE-460107
https://github.com/jakubroztocil/httpie/commit/df36d6255df5793129b02ac82f1010171bd8a0a8

Search for package or bug name: Reporting problems