Miggo Logo

CVE-2022-24737: Exposure of Sensitive Information to an Unauthorized Actor in httpie

6.5

CVSS Score
3.1

Basic Information

EPSS Score
0.65115%
Published
3/7/2022
Updated
9/23/2024
KEV Status
No
Technology
TechnologyPython

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
httpiepip< 3.1.03.1.0

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stemmed from improper cookie domain handling in session management. Key issues were:

  1. remove_cookies() only used cookie names, not domains/paths
  2. Session storage used dict-based cookies without domain attributes
  3. get_httpie_session didn't properly bind sessions to hosts
  4. update_headers stored cookies without domain context

The commit 65ab7d5 introduced domain-aware cookie handling via cookie jars, session upgrades, and RFC 6265 compliance. The vulnerable functions directly handled cookie storage/removal without domain considerations, enabling cross-domain cookie leakage.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

### Imp**t *TTPi* **v* t** pr**ti**l *on**pt o* [s*ssions](*ttps://*ttpi*.io/*o*s/*li/s*ssions), w*i** **lp us*rs to p*rsist*ntly stor* som* o* t** st*t* t**t **lon*s to t** out*oin* r*qu*sts *n* in*omin* r*spons*s on t** *isk *or *urt**r us***. *s *

Reasoning

T** vuln*r**ility st*mm** *rom improp*r *ooki* *om*in **n*lin* in s*ssion m*n***m*nt. K*y issu*s w*r*: *. r*mov*_*ooki*s() only us** *ooki* n*m*s, not *om*ins/p*t*s *. S*ssion stor*** us** *i*t-**s** *ooki*s wit*out *om*in *ttri*ut*s *. **t_*ttpi*_s*