[GHSA-8r96-8889-qg2x] HTTPie allows attackers to eavesdrop on communications between the host and server via a man-in-the-middle attack

[RJPercival]

Updates

• Affected products
• CVSS v3

Comments
This vulnerability was fixed in v3.2.3 (see https://security.snyk.io/vuln/SNYK-PYTHON-HTTPIE-6067571).

[RJPercival]

This is the only change I actually made - setting the "fixed" version - the rest of the changes seem to have been made automatically.

[shelbyc]

Hi @RJPercival, I'm looking at https://security.snyk.io/vuln/SNYK-PYTHON-HTTPIE-6067571 and some links related to it now.

It looks like https://security.snyk.io/vuln/SNYK-PYTHON-HTTPIE-6067571 is using httpie/cli@7f03c52 as a fix commit reference, which makes sense since it refers to SSL handling.

I searched for "CVE-2023-48052" in https://github.com/httpie/cli and found httpie/cli#1549, in which one of the maintainers says:

verify=False is only used for internal version check requests to a hard-coded URL, not the actual user requests.

(Yes, it was left there unintentionally, and we’ll remove it in the upcoming release, but it poses no danger.)

At the time the post was made on 04 January 2024, the upcoming release was 3.2.3, which was released on 10 July 2024. So this statement suggests to me that 3.2.3 should be marked as not vulnerable.

I agree with your suggestion to add 3.2.3 as a fixed version. Additionally, the CVSS 4.0 score that is currently in the advisory, CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N, doesn't correspond as well as it could with NVD and CISA ADP's 3.1 scores (they don't assess a high availability impact, for one), so I'll take a look at removing or at least adjusting the CVSS 4.0 score.

[advisory-database]

Hi @RJPercival! Thank you so much for contributing to the GitHub Advisory Database. This database is free, open, and accessible to all, and it's people like you who make it great. Thanks for choosing to help others. We hope you send in more contributions in the future!