Lucene search

Veracode Vulnerability DatabaseVERACODE:44305

HistoryNov 17, 2023 - 8:12 a.m.

Man-in-the-Middle

2023-11-1708:12:31

Veracode Vulnerability Database

sca.analysiscenter.veracode.com

httpie

vulnerability

https

warnings

urllib3

certificate validation

man-in-the-middle

attacks

7.4 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N

7 High

AI Score

Confidence

High

0.001 Low

EPSS

Percentile

25.7%

JSON

httpie is vulnerable to Man-in-the-Middle attacks. The vulnerability exists due to the use of urllib3.disable_warnings() in client.py, which does not properly enforce hostname verification or certificate validation. This means that HTTPS warnings, crucial for debugging and security awareness, are not displayed. This could potentially cause users to remain unaware of misconfigured or insecure SSL implementations, leading to a risk of Man-In-The-Middle (MITM) attacks.

CPENameOperatorVersion
httpiele3.2.2
httpiele3.2.2

CPE	Name	Operator	Version
	httpie	le	3.2.2
	httpie	le	3.2.2

References

github.com/advisories/GHSA-8r96-8889-qg2x

github.com/httpie/cli/blob/master/httpie/client.py#L33

github.com/httpie/cli/blob/master/httpie/internal/update_warnings.py#L44

gxx777.github.io/HTTPie_3.2.2_Cryptographic_API_Misuse_Vulnerability.md

7.4 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N

7 High

AI Score

Confidence

High

0.001 Low

EPSS

Percentile

25.7%

JSON

Related for VERACODE:44305