CVE-2019-10751

NameCVE-2019-10751
DescriptionAll versions of the HTTPie package prior to version 1.0.3 are vulnerable to Open Redirect that allows an attacker to write an arbitrary file with supplied filename and content to the current directory, by redirecting a request from HTTP to a crafted URL pointing to a server in his or hers control.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, Mageia, GitHub code/issues, web search, more)
ReferencesDLA-1937-1
NVD severitymedium
Debian Bugs940058

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
httpie (PTS)jessie0.8.0-1vulnerable
jessie (security)0.8.0-1+deb8u1fixed
stretch0.9.8-1vulnerable
buster0.9.8-2vulnerable
bullseye, sid1.0.3-2fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
httpiesource(unstable)1.0.3-1940058
httpiesourcejessie0.8.0-1+deb8u1DLA-1937-1

Notes

[buster] - httpie <no-dsa> (Minor issue)
[stretch] - httpie <no-dsa> (Minor issue)
https://snyk.io/vuln/SNYK-PYTHON-HTTPIE-460107
https://github.com/jakubroztocil/httpie/commit/df36d6255df5793129b02ac82f1010171bd8a0a8

Search for package or bug name: Reporting problems