CVE-2016-1000111
published 2020-03-11CVE-2016-1000111: Twisted before 16.3.1 does not attempt to address RFC 3875 section 4.1.18 namespace conflicts and therefore does not protect CGI applications from the presence…
PriorityP433medium5.3CVSS 3.1
AVNACLPRNUINSUCNILAN
EPSS
2.41%
82.0th percentile
Twisted before 16.3.1 does not attempt to address RFC 3875 section 4.1.18 namespace conflicts and therefore does not protect CGI applications from the presence of untrusted client data in the HTTP_PROXY environment variable, which might allow remote attackers to redirect a CGI application's outbound HTTP traffic to an arbitrary proxy server via a crafted Proxy header in an HTTP request, aka an "httpoxy" issue.
Affected
7 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | twisted | < twisted 16.4.0-1 (bookworm) | twisted 16.4.0-1 (bookworm) |
| twisted | twisted | < 16.3.1 | 16.3.1 |
| twisted | twisted | >= 0 < 16.4.0-1 | 16.4.0-1 |
| twisted | twisted | >= 0 < 16.4.0-1 | 16.4.0-1 |
| twisted | twisted | >= 0 < 16.4.0-1 | 16.4.0-1 |
| twisted | twisted | >= 0 < 16.4.0-1 | 16.4.0-1 |
| twisted | twisted | >= 0 < 16.3.1 | 16.3.1 |
CVSS provenance
nvdv3.15.3MEDIUMCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:N/I:P/A:N
osv5.3MEDIUM
vendor_redhat7.8HIGH
vendor_debian5.3LOW
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Ubuntu
Twisted vulnerability
vendor_ubuntu·2018-03-05
CVE-2016-1000111 Twisted vulnerability
Title: Twisted vulnerability
Summary: Twisted could be made to run programs if it received specially crafted
network traffic.
It was discovered that Twisted incorrectly handled certain HTTP requests.
An attacker could possibly use this issue to execute arbitrary code.
Instructions: In general, a standard system update will make all the necessary changes.
Red Hat
kernel: Heap out-of-bounds read in AF_PACKET sockets
vendor_redhat·2017-08-10·CVSS 7.8
CVE-2017-1000111 [HIGH] CWE-362 kernel: Heap out-of-bounds read in AF_PACKET sockets
kernel: Heap out-of-bounds read in AF_PACKET sockets
Linux kernel: heap out-of-bounds in AF_PACKET sockets. This new issue is analogous to previously disclosed CVE-2016-8655. In both cases, a socket option that changes socket state may race with safety checks in packet_set_ring. Previously with PACKET_VERSION. This time with PACKET_RESERVE. The solution is similar: lock the socket for the update. This issue may be exploitable, we did not investigate further. As this issue affects PF_PACKET sockets, it requires CAP_NET_RAW in the process namespace. But note that with user namespaces enabled, any process can create a namespace in which it has CAP_NET_RAW.
A race condition issue was found in the way the raw packet socket implementation in the Linux kernel networking subsystem handled synchr
Red Hat
Twisted: sets environmental variable based on user supplied Proxy request header
vendor_redhat·2016-07-18·CVSS 5.3
CVE-2016-1000111 [MEDIUM] CWE-20 Twisted: sets environmental variable based on user supplied Proxy request header
Twisted: sets environmental variable based on user supplied Proxy request header
Twisted before 16.3.1 does not attempt to address RFC 3875 section 4.1.18 namespace conflicts and therefore does not protect CGI applications from the presence of untrusted client data in the HTTP_PROXY environment variable, which might allow remote attackers to redirect a CGI application's outbound HTTP traffic to an arbitrary proxy server via a crafted Proxy header in an HTTP request, aka an "httpoxy" issue.
It was discovered that python-twisted-web used the value of the Proxy header from HTTP requests to initialize the HTTP_PROXY environment variable for CGI scripts, which in turn was incorrectly used by certain HTTP client implementations to configure the proxy for outgoing HTTP requests. A remote attack
Debian
CVE-2016-1000111: twisted - Twisted before 16.3.1 does not attempt to address RFC 3875 section 4.1.18 namesp...
vendor_debian·2016·CVSS 5.3
CVE-2016-1000111 [MEDIUM] CVE-2016-1000111: twisted - Twisted before 16.3.1 does not attempt to address RFC 3875 section 4.1.18 namesp...
Twisted before 16.3.1 does not attempt to address RFC 3875 section 4.1.18 namespace conflicts and therefore does not protect CGI applications from the presence of untrusted client data in the HTTP_PROXY environment variable, which might allow remote attackers to redirect a CGI application's outbound HTTP traffic to an arbitrary proxy server via a crafted Proxy header in an HTTP request, aka an "httpoxy" issue.
Scope: local
bookworm: resolved (fixed in 16.4.0-1)
bullseye: resolved (fixed in 16.4.0-1)
forky: resolved (fixed in 16.4.0-1)
sid: resolved (fixed in 16.4.0-1)
trixie: resolved (fixed in 16.4.0-1)
OSV
Forced Browsing in Twisted
osv·2021-04-30
CVE-2016-1000111 [MEDIUM] Forced Browsing in Twisted
Forced Browsing in Twisted
Twisted before 16.3.1 does not attempt to address RFC 3875 section 4.1.18 namespace conflicts and therefore does not protect CGI applications from the presence of untrusted client data in the `HTTP_PROXY` environment variable, which might allow remote attackers to redirect a CGI application's outbound HTTP traffic to an arbitrary proxy server via a crafted Proxy header in an HTTP request, aka an `httpoxy` issue.
GHSA
Forced Browsing in Twisted
ghsa·2021-04-30
CVE-2016-1000111 [MEDIUM] CWE-425 Forced Browsing in Twisted
Forced Browsing in Twisted
Twisted before 16.3.1 does not attempt to address RFC 3875 section 4.1.18 namespace conflicts and therefore does not protect CGI applications from the presence of untrusted client data in the `HTTP_PROXY` environment variable, which might allow remote attackers to redirect a CGI application's outbound HTTP traffic to an arbitrary proxy server via a crafted Proxy header in an HTTP request, aka an `httpoxy` issue.
OSV
CVE-2016-1000111: Twisted before 16
osv·2020-03-11·CVSS 5.3
CVE-2016-1000111 [MEDIUM] CVE-2016-1000111: Twisted before 16
Twisted before 16.3.1 does not attempt to address RFC 3875 section 4.1.18 namespace conflicts and therefore does not protect CGI applications from the presence of untrusted client data in the HTTP_PROXY environment variable, which might allow remote attackers to redirect a CGI application's outbound HTTP traffic to an arbitrary proxy server via a crafted Proxy header in an HTTP request, aka an "httpoxy" issue.
No detection rules found.
No public exploits indexed.
Bugzilla
CVE-2016-1000111 python-twisted-web: Python Twisted: sets environmental variable based on user supplied Proxy request header [epel-5]
bugzilla·2016-07-18·CVSS 5.3
CVE-2016-1000111 [MEDIUM] CVE-2016-1000111 python-twisted-web: Python Twisted: sets environmental variable based on user supplied Proxy request header [epel-5]
CVE-2016-1000111 python-twisted-web: Python Twisted: sets environmental variable based on user supplied Proxy request header [epel-5]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of Fedora EPEL.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit messa
Bugzilla
CVE-2016-1000111 python-twisted-web2: Python Twisted: sets environmental variable based on user supplied Proxy request header [fedora-all]
bugzilla·2016-07-18·CVSS 5.3
CVE-2016-1000111 [MEDIUM] CVE-2016-1000111 python-twisted-web2: Python Twisted: sets environmental variable based on user supplied Proxy request header [fedora-all]
CVE-2016-1000111 python-twisted-web2: Python Twisted: sets environmental variable based on user supplied Proxy request header [fedora-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of Fedora.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit messa
Bugzilla
CVE-2016-1000111 Python Twisted: sets environmental variable based on user supplied Proxy request header
bugzilla·2016-07-18·CVSS 5.3
CVE-2016-1000111 [MEDIUM] CVE-2016-1000111 Python Twisted: sets environmental variable based on user supplied Proxy request header
CVE-2016-1000111 Python Twisted: sets environmental variable based on user supplied Proxy request header
Dominic Scheirlinck of VendHQ reports:
Many software projects and vendors have implemented support for the “Proxy” request header in their respective CGI implementations and languages by creating the “HTTP_PROXY” environmental variable based on the header value. When this variable is used (in many cases automatically by various HTTP client libraries) any outgoing requests generated in turn from the attackers original request can be redirected to an attacker controlled proxy. This allows attackers to view potentially sensitive information, reply with malformed data, or to hold connections open causing a potential denial of service.
Discussion:
Acknowledgments:
Name: Scott Geary (Ven
http://www.oracle.com/technetwork/topics/security/linuxbulletinoct2016-3090545.htmlhttps://twistedmatrix.com/pipermail/twisted-web/2016-August/005268.htmlhttps://twistedmatrix.com/trac/ticket/8623https://www.openwall.com/lists/oss-security/2016/07/18/6http://www.oracle.com/technetwork/topics/security/linuxbulletinoct2016-3090545.htmlhttps://twistedmatrix.com/pipermail/twisted-web/2016-August/005268.htmlhttps://twistedmatrix.com/trac/ticket/8623https://www.openwall.com/lists/oss-security/2016/07/18/6
2020-03-11
Published