CVE-2016-1000111 Information

Description

Twisted before 16.3.1 does not attempt to address RFC 3875 section 4.1.18 namespace conflicts and therefore does not protect CGI applications from the presence of untrusted client data in the HTTP_PROXY environment variable, which might allow remote attackers to redirect a CGI application’s outbound HTTP traffic to an arbitrary proxy server via a crafted Proxy header in an HTTP request, aka an “httpoxy” issue.

Vulnerability Type (CWE)

CWE-425

Published

2020-03-11

Last Modified

2020-03-13

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

Base Score

5.3 MEDIUM

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

LOW

Availability Impact

NONE

References

http://www.oracle.com/technetwork/topics/security/linuxbulletinoct2016-3090545.html (Third Party Advisory) https://twistedmatrix.com/pipermail/twisted-web/2016-August/005268.html (Mailing List,Vendor Advisory) https://twistedmatrix.com/trac/ticket/8623 (Patch,Vendor Advisory) https://www.openwall.com/lists/oss-security/2016/07/18/6 (Mailing List,Third Party Advisory)