CVE-2016-1000110
published 2019-11-27CVE-2016-1000110: The CGIHandler class in Python before 2.7.12 does not protect against the HTTP_PROXY variable name clash in a CGI script, which could allow a remote attacker…
PriorityP276medium6.1CVSS 3.1
AVNACLPRNUIRSCCLILAN
ITWVulnCheck KEV
Exploited in the wild
EPSS
4.53%
90.4th percentile
The CGIHandler class in Python before 2.7.12 does not protect against the HTTP_PROXY variable name clash in a CGI script, which could allow a remote attacker to redirect HTTP requests.
Affected
9 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | debian_linux | — | — |
| debian | debian_linux | — | — |
| debian | debian_linux | — | — |
| debian | python2.7 | < python2.7 2.7.12-2 (bullseye) | python2.7 2.7.12-2 (bullseye) |
| fedoraproject | fedora | — | — |
| python | python | >= 2.7.0 < 2.7.13 | 2.7.13 |
| python | python | >= 3.3.0 < 3.3.7 | 3.3.7 |
| python | python | >= 3.4.0 < 3.4.6 | 3.4.6 |
| python | python | >= 3.5.0 < 3.5.3 | 3.5.3 |
Detection & IOCsextracted from sources · hover to see the quote
- →Monitor CGI process environments for the presence of HTTP_PROXY being set from an inbound HTTP Proxy request header, which indicates exploitation of this vulnerability. ↗
- →Alert on CGI applications where the HTTP_PROXY environment variable is populated from user-supplied input (i.e., the Proxy HTTP header), as this allows attackers to view potentially sensitive information, reply with malformed data, or hold connections open causing denial of service. ↗
- ·The vulnerability affects Python's CGIHandler class before version 2.7.12; deployments running Python CGI applications on versions prior to 2.7.12 (or equivalent patched builds) remain exposed. ↗
- ·Red Hat Enterprise Linux 4 will not receive a fix; RHEL 5 remains affected. Operators on these platforms must apply compensating controls. ↗
CVSS provenance
nvdv3.16.1MEDIUMCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
nvdv2.05.8MEDIUMAV:N/AC:M/Au:N/C:P/I:P/A:N
osv6.5MEDIUM
vulncheck6.1MEDIUM
vendor_ubuntu6.5MEDIUM
vendor_debian6.1LOW
vendor_redhat6.1MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-97ww-5p4j-7pg9: The CGIHandler class in Python before 2
ghsa_unreviewed·2022-05-24
CVE-2016-1000110 [MEDIUM] CWE-601 GHSA-97ww-5p4j-7pg9: The CGIHandler class in Python before 2
The CGIHandler class in Python before 2.7.12 does not protect against the HTTP_PROXY variable name clash in a CGI script, which could allow a remote attacker to redirect HTTP requests.
OSV
CVE-2016-1000110: The CGIHandler class in Python before 2
osv·2019-11-27·CVSS 6.1
CVE-2016-1000110 [MEDIUM] CVE-2016-1000110: The CGIHandler class in Python before 2
The CGIHandler class in Python before 2.7.12 does not protect against the HTTP_PROXY variable name clash in a CGI script, which could allow a remote attacker to redirect HTTP requests.
OSV
python2.7, python3.2, python3.4, python3.5 vulnerabilities
osv·2016-11-22·CVSS 6.5
CVE-2016-0772 [MEDIUM] python2.7, python3.2, python3.4, python3.5 vulnerabilities
python2.7, python3.2, python3.4, python3.5 vulnerabilities
It was discovered that the smtplib library in Python did not return an
error when StartTLS fails. A remote attacker could possibly use this to
expose sensitive information. (CVE-2016-0772)
Rémi Rampin discovered that Python would not protect CGI applications
from contents of the HTTP_PROXY environment variable when based on
the contents of the Proxy header from HTTP requests. A remote attacker
could possibly use this to cause a CGI application to redirect outgoing
HTTP requests. (CVE-2016-1000110)
Insu Yun discovered an integer overflow in the zipimporter module in
Python that could lead to a heap-based overflow. An attacker could
use this to craft a special zip file that when read by Python could
possibly execute arbitrary code
VulnCheck
python python URL Redirection to Untrusted Site ('Open Redirect')
vulncheck·2016·CVSS 6.1
CVE-2016-1000110 [MEDIUM] python python URL Redirection to Untrusted Site ('Open Redirect')
python python URL Redirection to Untrusted Site ('Open Redirect')
The CGIHandler class in Python before 2.7.12 does not protect against the HTTP_PROXY variable name clash in a CGI script, which could allow a remote attacker to redirect HTTP requests.
Affected: python python
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://www.fortinet.com/content/dam/fortinet/assets/threat-reports/threat-landscape-report-2h-2023.pdf
Ubuntu
Python vulnerabilities
vendor_ubuntu·2016-11-22·CVSS 6.5
CVE-2016-0772 [MEDIUM] Python vulnerabilities
Title: Python vulnerabilities
Summary: Several security issues were fixed in Python.
It was discovered that the smtplib library in Python did not return an
error when StartTLS fails. A remote attacker could possibly use this to
expose sensitive information. (CVE-2016-0772)
Rémi Rampin discovered that Python would not protect CGI applications
from contents of the HTTP_PROXY environment variable when based on
the contents of the Proxy header from HTTP requests. A remote attacker
could possibly use this to cause a CGI application to redirect outgoing
HTTP requests. (CVE-2016-1000110)
Insu Yun discovered an integer overflow in the zipimporter module in
Python that could lead to a heap-based overflow. An attacker could
use this to craft a special zip file that when read by Python could
poss
Red Hat
CGIHandler: sets environmental variable based on user supplied Proxy request header
vendor_redhat·2016-07-18·CVSS 6.1
CVE-2016-1000110 [MEDIUM] CWE-20 CGIHandler: sets environmental variable based on user supplied Proxy request header
CGIHandler: sets environmental variable based on user supplied Proxy request header
The CGIHandler class in Python before 2.7.12 does not protect against the HTTP_PROXY variable name clash in a CGI script, which could allow a remote attacker to redirect HTTP requests.
It was discovered that the Python CGIHandler class did not properly protect against the HTTP_PROXY variable name clash in a CGI context. A remote attacker could possibly use this flaw to redirect HTTP requests performed by a Python CGI script to an attacker-controlled proxy via a malicious HTTP request.
Package: python (Red Hat Enterprise Linux 4) - Will not fix
Package: python (Red Hat Enterprise Linux 5) - Affected
Debian
CVE-2016-1000110: python2.7 - The CGIHandler class in Python before 2.7.12 does not protect against the HTTP_P...
vendor_debian·2016·CVSS 6.1
CVE-2016-1000110 [MEDIUM] CVE-2016-1000110: python2.7 - The CGIHandler class in Python before 2.7.12 does not protect against the HTTP_P...
The CGIHandler class in Python before 2.7.12 does not protect against the HTTP_PROXY variable name clash in a CGI script, which could allow a remote attacker to redirect HTTP requests.
Scope: local
bullseye: resolved (fixed in 2.7.12-2)
No detection rules found.
No public exploits indexed.
Bugzilla
CVE-2016-1000110 python3: Python CGIHandler: sets environmental variable based on user supplied Proxy request header [fedora-all]
bugzilla·2016-07-22·CVSS 6.1
CVE-2016-1000110 [MEDIUM] CVE-2016-1000110 python3: Python CGIHandler: sets environmental variable based on user supplied Proxy request header [fedora-all]
CVE-2016-1000110 python3: Python CGIHandler: sets environmental variable based on user supplied Proxy request header [fedora-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of Fedora.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
NOTE
Bugzilla
CVE-2016-1000110 python: Python CGIHandler: sets environmental variable based on user supplied Proxy request header [fedora-all]
bugzilla·2016-07-22·CVSS 6.1
CVE-2016-1000110 [MEDIUM] CVE-2016-1000110 python: Python CGIHandler: sets environmental variable based on user supplied Proxy request header [fedora-all]
CVE-2016-1000110 python: Python CGIHandler: sets environmental variable based on user supplied Proxy request header [fedora-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of Fedora.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
NOTE:
Bugzilla
CVE-2016-1000110 python34: Python CGIHandler: sets environmental variable based on user supplied Proxy request header [epel-7]
bugzilla·2016-07-22·CVSS 6.1
CVE-2016-1000110 [MEDIUM] CVE-2016-1000110 python34: Python CGIHandler: sets environmental variable based on user supplied Proxy request header [epel-7]
CVE-2016-1000110 python34: Python CGIHandler: sets environmental variable based on user supplied Proxy request header [epel-7]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of Fedora EPEL.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
[b
Bugzilla
CVE-2016-1000110 python26: Python CGIHandler: sets environmental variable based on user supplied Proxy request header [epel-5]
bugzilla·2016-07-22·CVSS 6.1
CVE-2016-1000110 [MEDIUM] CVE-2016-1000110 python26: Python CGIHandler: sets environmental variable based on user supplied Proxy request header [epel-5]
CVE-2016-1000110 python26: Python CGIHandler: sets environmental variable based on user supplied Proxy request header [epel-5]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of Fedora EPEL.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
[b
Bugzilla
CVE-2016-1000110 Python CGIHandler: sets environmental variable based on user supplied Proxy request header
bugzilla·2016-07-18·CVSS 6.1
CVE-2016-1000110 [MEDIUM] CVE-2016-1000110 Python CGIHandler: sets environmental variable based on user supplied Proxy request header
CVE-2016-1000110 Python CGIHandler: sets environmental variable based on user supplied Proxy request header
Dominic Scheirlinck of VendHQ reports:
Many software projects and vendors have implemented support for the “Proxy” request header in their respective CGI implementations and languages by creating the “HTTP_PROXY” environmental variable based on the header value. When this variable is used (in many cases automatically by various HTTP client libraries) any outgoing requests generated in turn from the attackers original request can be redirected to an attacker controlled proxy. This allows attackers to view potentially sensitive information, reply with malformed data, or to hold connections open causing a potential denial of service.
Discussion:
Acknowledgments:
Name: Scott Geary (
http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00040.htmlhttps://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-1000110https://bugzilla.suse.com/show_bug.cgi?id=CVE-2016-1000110https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/7K3WFJO3SJQCODKRKU6EQV3ZGHH53YPU/https://security-tracker.debian.org/tracker/CVE-2016-1000110http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00040.htmlhttps://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-1000110https://bugzilla.suse.com/show_bug.cgi?id=CVE-2016-1000110https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/7K3WFJO3SJQCODKRKU6EQV3ZGHH53YPU/https://security-tracker.debian.org/tracker/CVE-2016-1000110
2019-11-27
Published
Exploited in the wild