Lucene search
K

Fedora 44 : cpp-httplib (2026-1b15ac058b)

🗓️ 03 Jul 2026 00:00:00Reported by TenableType 
nessus
 nessus
🔗 www.tenable.com👁 4 Views

Update cpp-httplib to 0.48.0 on Fedora 44; fixes IP-host cert identity and percent-escape parsing.

Related
Refs
Code
#%NASL_MIN_LEVEL 80900
##
# (C) Tenable, Inc.
##
# The descriptive text and package checks in this plugin were
# extracted from Fedora Security Advisory FEDORA-2026-1b15ac058b
#

include('compat.inc');

if (description)
{
  script_id(324926);
  script_version("1.1");
  script_set_attribute(attribute:"plugin_modification_date", value:"2026/07/03");

  script_cve_id(
    "CVE-2026-33745",
    "CVE-2026-45352",
    "CVE-2026-45372",
    "CVE-2026-46527",
    "CVE-2026-54919"
  );
  script_xref(name:"FEDORA", value:"2026-1b15ac058b");

  script_name(english:"Fedora 44 : cpp-httplib (2026-1b15ac058b)");

  script_set_attribute(attribute:"synopsis", value:
"The remote Fedora host is missing one or more security updates.");
  script_set_attribute(attribute:"description", value:
"The remote Fedora 44 host has a package installed that is affected by multiple vulnerabilities as referenced in the
FEDORA-2026-1b15ac058b advisory.

    # Update to 0.48.0 (rhbz#2481109)

    ## Security fixes

    - Complete the IP-host certificate identity fix from v0.47.0 for the
    Mbed TLS and wolfSSL backends. An IP-literal host is now authenticated
    only via a matching iPAddress SAN, never via the certificate's Common
    Name (RFC 9110)  matching what the OpenSSL backend already enforces
    through X509_check_ip. Previously these backends fell back to the CN
    when no IP SAN matched, and recognized IPv4 only; now IPv6 (16-byte)
    iPAddress SANs are matched as well, and the CN fallback is skipped for
    both IPv4 and IPv6 literal hosts (#2476)

    ## Improvements

    - Replace the strtod-based from_chars for double with a hand-written,
    locale-independent parser. The only double parsed by the library is the
    HTTP quality value; strtod reads the decimal separator from the global C
    locale, so an embedder calling setlocale(LC_ALL, ) into a
    comma-decimal locale would mis-parse q-values. The new parser always
    treats . as the decimal separator and is allocation-free (Fix #2475)
    - Fix OpenSSL 4.0 deprecation warnings: fetch CA store objects via the
    thread-safe X509_STORE_get1_objects() (OpenSSL 3.3+) and extract the
    subject CN via X509_NAME_get_index_by_NID()/X509_NAME_get_entry()
    instead of the deprecated X509_STORE_get0_objects() and
    X509_NAME_get_text_by_NID(). Older OpenSSL, BoringSSL, and LibreSSL keep
    using the get0 path. Verified warning-free against OpenSSL 4.0.1, 3.6.2,
    and 3.0

    ## Behavior changes

    - decode_query_component() now uses strict hex parsing for
    percent-escapes, consistent with decode_uri_component() and
    decode_path_component(). A % followed by non-hex characters (e.g. a sign
    or whitespace such as %-1, %+5, % 5) is passed through literally instead
    of being accepted as a valid escape (#2472)

    Source: https://github.com/yhirose/cpp-httplib/releases/tag/v0.48.0

    # Update to 0.47.0 (rhbz#2481109, CVE-2026-46527, CVE-2026-45372, CVE-2026-45352)

    ## Security fixes

    - Fix TLS certificate chain verification bypass for IP-literal hosts on the Mbed TLS and wolfSSL backends:
    with server certificate verification enabled, SSLClient skipped chain validation entirely (any untrusted
    certificate with a matching IP SAN was accepted), and WebSocketClient on Mbed TLS skipped verification
    altogether. Chain verification now stays enabled for IP hosts, and certificate identity is verified post-
    handshake against IP SANs on all backends. SNI is no longer sent for IP hosts on Mbed TLS and wolfSSL, per
    RFC 6066 ([CVE-2026-54919](https://github.com/yhirose/cpp-
    httplib/security/advisories/GHSA-8ffh-4p95-g3p2))

    ## New features

    - Add Server::set_start_handler(): a callback invoked when the server is ready to accept connections,
    useful when running the server in a background thread (#2467)
    - Add Client/SSLClient/WebSocketClient::enable_system_ca(bool) to opt into loading system CA certificates
    alongside a custom CA. The default is unchanged: a custom CA remains exclusive. The setting carries over
    to clients created for HTTPS redirects (#2471)
    - Add WebSocketClient::set_hostname_addr_map() to connect to a specific IP address while keeping the
    original hostname for the handshake and certificate verification (#2463)

    ## Behavior changes

    - The request body is now read after route matching and the pre-request handler, so both the regular
    handler and ContentReader paths behave the same: route matching  pre-request handler  body read 
    handler. A request rejected by the pre-request handler (e.g. failed per-route authentication via
    req.matched_route) no longer buffers the body at all. Note: code that referenced req.body or body-derived
    form fields inside the pre-request handler will now see an empty body; inspect headers, path, query
    parameters, or matched_route instead
    - WebSocketClient with a custom CA no longer merges system CA certificates (it previously always merged
    them). This matches SSLClient behavior; call enable_system_ca(true) to load system CA certificates
    alongside the custom CA
    - Range request headers are now ignored for streaming responses of unknown length instead of producing an
    invalid response (#2465)

    ## Bug fixes

    - Fix SSLClient::set_ca_cert_store() breaking custom-CA exclusivity: system CA certificates were silently
    merged into the user-provided store, broadening the trust set. Also fix Client::load_ca_cert_store() not
    carrying CA certificates over to clients created for HTTPS redirects
    - Fix WebSocketClient dropping the query string from the URL during the upgrade handshake, so query
    parameters (e.g. auth tokens) are sent (#2468)
    - Fix a use-after-free when reconnecting a WebSocketClient after set_ca_cert_store(), and a memory leak in
    the Mbed TLS and wolfSSL set_ca_cert_store() backends
    - Fix MSVC warning C4309 (truncation of constant value) in SHA padding code (#2464)
    - Cast to unsigned char before ctype calls in is_hex and is_token_char to avoid undefined behavior with
    negative char values (#2469)

    Source: https://github.com/yhirose/cpp-httplib/releases/tag/v0.47.0


Tenable has extracted the preceding description block directly from the Fedora security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version
number.");
  script_set_attribute(attribute:"see_also", value:"https://bodhi.fedoraproject.org/updates/FEDORA-2026-1b15ac058b");
  script_set_attribute(attribute:"solution", value:
"Update the affected cpp-httplib package.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:H/Au:N/C:C/I:C/A:N");
  script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C");
  script_set_attribute(attribute:"cvss4_vector", value:"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N");
  script_set_attribute(attribute:"cvss4_threat_vector", value:"CVSS:4.0/E:P");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2026-33745");
  script_set_attribute(attribute:"cvss4_score_source", value:"CVE-2026-46527");

  script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"true");

  script_set_attribute(attribute:"vuln_publication_date", value:"2026/03/27");
  script_set_attribute(attribute:"patch_publication_date", value:"2026/06/24");
  script_set_attribute(attribute:"plugin_publication_date", value:"2026/07/03");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:fedoraproject:fedora:44");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fedoraproject:fedora:cpp-httplib");
  script_set_attribute(attribute:"generated_plugin", value:"current");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Fedora Local Security Checks");

  script_copyright(english:"This script is Copyright (C) 2026 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("ssh_get_info.nasl");
  script_require_keys("Host/local_checks_enabled", "Host/RedHat/release", "Host/RedHat/rpm-list");

  exit(0);
}


include('rpm2.inc');

if (!get_kb_item('Host/local_checks_enabled')) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
var os_product = get_kb_item('installed_os/local/SSH/0/product');
if (isnull(os_product) || 'Fedora' >!< os_product) audit(AUDIT_OS_NOT, 'Fedora');
var os_version = get_kb_item('installed_os/local/SSH/0/version');
if (isnull(os_version)) audit(AUDIT_UNKNOWN_APP_VER, 'Fedora');
if (! preg(pattern:"^44([^0-9]|$)", string:os_version)) audit(AUDIT_OS_NOT, 'Fedora 44', 'Fedora ' + os_version);

if (!get_kb_item('Host/RedHat/rpm-list')) audit(AUDIT_PACKAGE_LIST_MISSING);

var cpu = get_kb_item('Host/cpu');
if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
if ('x86_64' >!< cpu && cpu !~ "^i[3-6]86$" && 's390' >!< cpu && 'aarch64' >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'Fedora', cpu);

var constraints = [
  {
    'release': '44',
    'pkgs': [
      {'reference':'cpp-httplib-0.48.0-1.fc44', 'rpm_spec_vers_cmp':TRUE}
    ]
  }
];

var os_release = get_one_kb_item('installed_os/local/SSH/0/release');
var os_sp = get_one_kb_item('Host/*/minor_release');

var flag = 0;
var reference;
var sp;
var _cpu;
var el_string;
var rpm_spec_vers_cmp;
var epoch;
var allowmaj;
var exists_check;
var cves;
foreach var constraint ( constraints ) {
  # Check that the target release is equal to the affected release
  if (!empty_or_null(constraint['release'])){
    if (constraint['release'] != os_release) continue;
  }
  if (!empty_or_null(constraint['sp'])){
    if (constraint['sp'] != os_sp) continue;
  }
  foreach var pkg ( constraint['pkgs'] ) {
    reference = NULL;
    sp = NULL;
    _cpu = NULL;
    el_string = NULL;
    rpm_spec_vers_cmp = NULL;
    epoch = NULL;
    allowmaj = NULL;
    exists_check = NULL;
    cves = NULL;
    if (!empty_or_null(pkg['reference'])) reference = pkg['reference'];
    if (!empty_or_null(pkg['sp'])) sp = pkg['sp'];
    if (!empty_or_null(pkg['cpu'])) _cpu = pkg['cpu'];
    if (!empty_or_null(pkg['el_string'])) el_string = pkg['el_string'];
    if (!empty_or_null(pkg['rpm_spec_vers_cmp'])) rpm_spec_vers_cmp = pkg['rpm_spec_vers_cmp'];
    if (!empty_or_null(pkg['epoch'])) epoch = pkg['epoch'];
    if (!empty_or_null(pkg['allowmaj'])) allowmaj = pkg['allowmaj'];
    if (!empty_or_null(pkg['exists_check'])) exists_check = pkg['exists_check'];
    if (!empty_or_null(pkg['cves'])) cves = pkg['cves'];
    if (reference &&
        ## (no known rpm to check OR known rpm_exists)
        (!exists_check || rpm_exists(rpm:exists_check)) &&
        rpm_check(sp:sp, cpu:_cpu, reference:reference, epoch:epoch, el_string:el_string, rpm_spec_vers_cmp:rpm_spec_vers_cmp, allowmaj:allowmaj, cves:cves)) flag++;
  }
}

if (flag)
{
  security_report_v4(
      port       : 0,
      severity   : SECURITY_HOLE,
      extra      : rpm_report_get()
  );
  exit(0);
}
else
{
  var tested = pkg_tests_get();
  if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
  else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'cpp-httplib');
}

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

03 Jul 2026 00:00Current
6.1Medium risk
Vulners AI Score6.1
CVSS 3.17.5 - 9.9
CVSS 48.7
EPSS0.00327
SSVC
4