| Name | CVE-2019-10751 |
| Description | All versions of the HTTPie package prior to version 1.0.3 are vulnerable to Open Redirect that allows an attacker to write an arbitrary file with supplied filename and content to the current directory, by redirecting a request from HTTP to a crafted URL pointing to a server in his or hers control. |
| Source | CVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more) |
| References | DLA-1937-1 |
| Debian Bugs | 940058 |
Vulnerable and fixed packages
The table below lists information on source packages.
| Source Package | Release | Version | Status |
|---|
| httpie (PTS) | jessie, jessie (lts) | 0.8.0-1+deb8u1 | fixed |
| stretch | 0.9.8-1 | vulnerable |
| buster | 0.9.8-2 | vulnerable |
| bullseye | 2.2.0-2 | fixed |
| bookworm | 3.2.1-1 | fixed |
| sid, trixie | 3.2.2-1 | fixed |
The information below is based on the following data on fixed versions.
| Package | Type | Release | Fixed Version | Urgency | Origin | Debian Bugs |
|---|
| httpie | source | wheezy | (unfixed) | end-of-life | | |
| httpie | source | jessie | 0.8.0-1+deb8u1 | | DLA-1937-1 | |
| httpie | source | (unstable) | 1.0.3-1 | | | 940058 |
Notes
[buster] - httpie <no-dsa> (Minor issue)
[stretch] - httpie <no-dsa> (Minor issue)
https://snyk.io/vuln/SNYK-PYTHON-HTTPIE-460107
https://github.com/jakubroztocil/httpie/commit/df36d6255df5793129b02ac82f1010171bd8a0a8