CVE-2022-24737: 
Python vulnerability analysis and mitigation

HTTPie, a command-line HTTP client, was found to have a security vulnerability (CVE-2022-24737) affecting versions prior to 3.1.0. The vulnerability was discovered and disclosed in March 2022, where the application failed to properly distinguish between cookies and their respective hosts in session management. This vulnerability affected HTTPie's session functionality, which is used to persistently store state information from HTTP requests and responses (GitHub Advisory).

The vulnerability stems from HTTPie's session management system, specifically in how it handles cookies across different domains. Before version 3.1.0, HTTPie did not properly implement domain-based cookie policies according to RFC 6265 (HTTP State Management Mechanism). The issue received a CVSS v3.1 Base Score of 6.5 (MEDIUM) with a vector string of CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N, indicating a network-accessible vulnerability requiring user interaction (NVD).

The vulnerability could result in the exposure of sensitive cookie information when redirects occur from the original host to third-party websites. This means that cookies intended for one domain could potentially be exposed to other domains during redirect operations, leading to possible information disclosure (GitHub Advisory).

Users are advised to upgrade to HTTPie version 3.1.0 or higher to address this vulnerability. After upgrading, users should run the httpie cli sessions upgrade command on their existing sessions to update them to the new secure format. There were no known workarounds for this vulnerability prior to the patch (HTTPie Release).

The vulnerability was responsibly disclosed through huntr.dev by security researcher @Glyph. Following the disclosure, the Fedora Project quickly responded by releasing security updates for Fedora 34, 35, and 36 to address the vulnerability (Fedora Update).