CVE-2016-1000111

CVE Database · CVE-2016-1000111

CVE-2016-1000111

· MEDIUMModified

CVSS v3.1

5.3

EPSS

2.41%

Published

Mar 11, 2020

Modified

Nov 25, 2024

Public PoC / Exploit (1)

All weaponized →

TrickestTrickest PoC index

Links to public security research (Exploit-DB, Nuclei, Trickest, GitHub) for defensive use only.

Description

Twisted before 16.3.1 does not attempt to address RFC 3875 section 4.1.18 namespace conflicts and therefore does not protect CGI applications from the presence of untrusted client data in the HTTP_PROXY environment variable, which might allow remote attackers to redirect a CGI application's outbound HTTP traffic to an arbitrary proxy server via a crafted Proxy header in an HTTP request, aka an "httpoxy" issue.

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

Weaknesses (CWE)

CWE-425

Affected Products (1)

twisted · twisted (up to 16.3.1)vulnerable

References (8)

http://www.oracle.com/technetwork/topics/security/linuxbulletinoct2016-3090545.html

Third Party Advisory

https://twistedmatrix.com/pipermail/twisted-web/2016-August/005268.html

Mailing ListVendor Advisory

https://twistedmatrix.com/trac/ticket/8623