Vulnerabilities > CVE-2019-10751 - Open Redirect vulnerability in Httpie

047910
CVSS 5.8 - MEDIUM
Attack vector
NETWORK
Attack complexity
MEDIUM
Privileges required
NONE
Confidentiality impact
PARTIAL
Integrity impact
PARTIAL
Availability impact
NONE
network
httpie
CWE-601
nessus

Summary

All versions of the HTTPie package prior to version 1.0.3 are vulnerable to Open Redirect that allows an attacker to write an arbitrary file with supplied filename and content to the current directory, by redirecting a request from HTTP to a crafted URL pointing to a server in his or hers control.

Vulnerable Configurations

Part Description Count
Application
Httpie
1

Common Attack Pattern Enumeration and Classification (CAPEC)

  • Fake the Source of Data
    An adversary provides data under a falsified identity. The purpose of using the falsified identity may be to prevent traceability of the provided data or it might be an attempt by the adversary to assume the rights granted to another identity. One of the simplest forms of this attack would be the creation of an email message with a modified "From" field in order to appear that the message was sent from someone other than the actual sender. Results of the attack vary depending on the details of the attack, but common results include privilege escalation, obfuscation of other attacks, and data corruption/manipulation.

Nessus

  • NASL familyDebian Local Security Checks
    NASL idDEBIAN_DLA-1937.NASL
    descriptionAn open redirect, that allows an attacker to write an arbitrary file with supplied filename and content to the current directory, by redirecting a request from HTTP to a crafted URL pointing to a server in his or hers control, was found and reported in CVE-2019-10751. This was patched upstream and so when `--download` without `--output` results in a redirect, now only the initial URL is considered, not the final one. For Debian 8
    last seen2020-06-01
    modified2020-06-02
    plugin id129411
    published2019-09-30
    reporterThis script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/129411
    titleDebian DLA-1937-1 : httpie security update
  • NASL familySuSE Local Security Checks
    NASL idOPENSUSE-2019-2050.NASL
    descriptionThis update for httpie fixes the following issues : httpie was updated to version 1.0.3 : - Fix CVE-2019-10751 (HTTPie is volnerable to Open Redirect that allows an attacker to write an arbitrary file with supplied filename and content to the current directory, by redirecting a request from HTTP to a crafted URL pointing to a server in his or hers control. (bsc#1148466)
    last seen2020-06-01
    modified2020-06-02
    plugin id128459
    published2019-09-03
    reporterThis script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/128459
    titleopenSUSE Security Update : httpie (openSUSE-2019-2050)