CVE-2016-1000111
Severity
5.3MEDIUM
EPSS
0.7%
top 28.14%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
Timeline
PublishedMar 11
Latest updateApr 30
Description
Twisted before 16.3.1 does not attempt to address RFC 3875 section 4.1.18 namespace conflicts and therefore does not protect CGI applications from the presence of untrusted client data in the HTTP_PROXY environment variable, which might allow remote attackers to redirect a CGI application's outbound HTTP traffic to an arbitrary proxy server via a crafted Proxy header in an HTTP request, aka an "httpoxy" issue.
CVSS vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:NExploitability: 3.9 | Impact: 1.4
Affected Packages4 packages
Patches
🔴Vulnerability Details
4📋Vendor Advisories
4Debian▶
CVE-2016-1000111: twisted - Twisted before 16.3.1 does not attempt to address RFC 3875 section 4.1.18 namesp...↗2016
💬Community
3Bugzilla▶
CVE-2016-1000111 python-twisted-web: Python Twisted: sets environmental variable based on user supplied Proxy request header [epel-5]↗2016-07-18
Bugzilla▶
CVE-2016-1000111 python-twisted-web2: Python Twisted: sets environmental variable based on user supplied Proxy request header [fedora-all]↗2016-07-18
Bugzilla▶
CVE-2016-1000111 Python Twisted: sets environmental variable based on user supplied Proxy request header↗2016-07-18