Bug 2250163 (CVE-2023-48052)

Summary: CVE-2023-48052 httpie: Missing SSL certificate validation
Product: [Other] Security Response Reporter: Patrick Del Bello <pdelbell>
Component: vulnerabilityAssignee: Product Security <prodsec-ir-bot>
Status: NEW --- QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: cstratak, mhroncok
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2250164, 2250165    
Bug Blocks:    

Description Patrick Del Bello 2023-11-16 19:33:14 UTC 
Latest version in the Gentoo tree is 3.2.1 and the latest version in upstream is 3.2.2. Before updating, the status of this vulnerability should probably be checked whether it has been patched.



https://www.cve.org/CVERecord?id=CVE-2023-48052
https://gxx777.github.io/HTTPie_3.2.2_Cryptographic_API_Misuse_Vulnerability.md

Missing SSL certificate validation in HTTPie v3.2.2 allows attackers to eavesdrop on communications between the host and server via a man-in-the-middle attack.

Expected Behavior:
The expected behavior for any HTTPS connection is that the client should validate the SSL certificate provided by the server to ensure it is trusted, not expired, and matches the requested hostname. Additionally, any HTTPS warnings should be displayed to the user, rather than being disabled, to avoid security oversights.

Actual Behavior:
The actual behavior observed in the code indicates that SSL certificate validation may not be properly enforced. Furthermore, HTTPS warnings that are essential for debugging and security awareness are not displayed, potentially causing the users to remain unaware of misconfigured or insecure SSL implementations.
Comment 1 Patrick Del Bello 2023-11-16 19:33:42 UTC 
Created httpie tracking bugs for this issue:

Affects: epel-all [bug 2250164]
Affects: fedora-all [bug 2250165]
Comment 3 Miro HronĨok 2023-11-17 13:07:04 UTC 
Interestingly, I cannot locate any upstream issue about this.

Why is the version packaged in Gentoo relevant here?
Comment 4 Patrick Del Bello 2023-12-06 05:29:35 UTC 
mhroncok, yes, I just realized there are no upstream issue/comments around this. This was filed in order to inform, please feel free to close it if you find that does not apply to upstream version. My apologies.
Comment 5 Charalampos Stratakis 2024-10-15 18:49:42 UTC 
Upstream has not answered any queries: https://github.com/httpie/cli/issues/1588