Vulnerability Details : CVE-2022-24737
Potential exploit
HTTPie is a command-line HTTP client. HTTPie has the practical concept of sessions, which help users to persistently store some of the state that belongs to the outgoing requests and incoming responses on the disk for further usage. Before 3.1.0, HTTPie didn‘t distinguish between cookies and hosts they belonged. This behavior resulted in the exposure of some cookies when there are redirects originating from the actual host to a third party website. Users are advised to upgrade. There are no known workarounds.
Vulnerability category: Information leak
Products affected by CVE-2022-24737
- cpe:2.3:o:fedoraproject:fedora:34:*:*:*:*:*:*:*
- cpe:2.3:o:fedoraproject:fedora:35:*:*:*:*:*:*:*
- cpe:2.3:o:fedoraproject:fedora:36:*:*:*:*:*:*:*
- cpe:2.3:a:httpie:httpie:*:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2022-24737
0.23%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 61 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2022-24737
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
4.3
|
MEDIUM | AV:N/AC:M/Au:N/C:P/I:N/A:N |
8.6
|
2.9
|
NIST | |
6.5
|
MEDIUM | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N |
2.8
|
3.6
|
NIST | |
6.5
|
MEDIUM | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N |
2.8
|
3.6
|
GitHub, Inc. |
CWE ids for CVE-2022-24737
-
The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.Assigned by: security-advisories@github.com (Primary)
References for CVE-2022-24737
-
https://github.com/httpie/httpie/security/advisories/GHSA-9w4w-cpc8-h2fq
Exposure of Sensitive Information to an Unauthorized Actor in httpie · Advisory · httpie/httpie · GitHubExploit;Third Party Advisory
-
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TXFCHGTW3V32GD6GXXJZE5QAOSDT3RTY/
[SECURITY] Fedora 34 Update: httpie-3.1.0-1.fc34 - package-announce - Fedora Mailing-ListsMailing List;Third Party Advisory
-
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4QZD2AZOL7XLNZVAV6GDNXYU6MFRU5RS/
[SECURITY] Fedora 36 Update: httpie-3.1.0-1.fc36 - package-announce - Fedora Mailing-ListsMailing List;Third Party Advisory
-
https://github.com/httpie/httpie/commit/65ab7d5caaaf2f95e61f9dd65441801c2ddee38b
Implement new style cookies · httpie/httpie@65ab7d5 · GitHubPatch;Third Party Advisory
-
https://github.com/httpie/httpie/releases/tag/3.1.0
Release HTTPie 3.1.0 · httpie/httpie · GitHubRelease Notes;Third Party Advisory
-
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/R5VYSYKEKVZEVEBIWAADGDXG4Y3EWCQ3/
[SECURITY] Fedora 35 Update: httpie-3.1.0-1.fc35 - package-announce - Fedora Mailing-ListsMailing List;Third Party Advisory
Jump to