Candidate: CVE-2019-10751
PublicDate: 2019-08-23 17:15:00 UTC
References:
 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-10751
 http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00003.html
 https://github.com/jakubroztocil/httpie/releases/tag/1.0.3
 https://snyk.io/vuln/SNYK-PYTHON-HTTPIE-460107
Description:
 All versions of the HTTPie package prior to version 1.0.3 are vulnerable to
 Open Redirect that allows an attacker to write an arbitrary file with
 supplied filename and content to the current directory, by redirecting a
 request from HTTP to a crafted URL pointing to a server in his or hers
 control.
Ubuntu-Description:
 It was discovered that HTTPie did not properly generate output filenames
 under certain circumstances. A remote attacker could use this to possibly
 write arbitrary files, resulting in open redirect attacks.
Notes:
Mitigation:
Bugs:
Priority: medium
Discovered-by:
Assigned-to:
CVSS:
 nvd: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H [8.8 HIGH]


Patches_httpie:
upstream_httpie: released (1.0.3-1)
precise/esm_httpie: DNE
trusty_httpie: ignored (out of standard support)
trusty/esm_httpie: DNE
xenial_httpie: ignored (end of standard support, was needs-triage)
bionic_httpie: needs-triage
disco_httpie: ignored (reached end-of-life)
eoan_httpie: ignored (reached end-of-life)
focal_httpie: not-affected (1.0.3-2)
groovy_httpie: not-affected (1.0.3-2)
hirsute_httpie: not-affected (1.0.3-2)
impish_httpie: not-affected (1.0.3-2)
jammy_httpie: not-affected (1.0.3-2)
devel_httpie: not-affected (1.0.3-2)