Vulnerability Details : CVE-2016-1000111
Twisted before 16.3.1 does not attempt to address RFC 3875 section 4.1.18 namespace conflicts and therefore does not protect CGI applications from the presence of untrusted client data in the HTTP_PROXY environment variable, which might allow remote attackers to redirect a CGI application's outbound HTTP traffic to an arbitrary proxy server via a crafted Proxy header in an HTTP request, aka an "httpoxy" issue.
Products affected by CVE-2016-1000111
- cpe:2.3:a:twisted:twisted:*:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2016-1000111
0.58%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 67 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2016-1000111
| Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
|---|---|---|---|---|---|---|
|
5.0
|
MEDIUM | AV:N/AC:L/Au:N/C:N/I:P/A:N |
10.0
|
2.9
|
NIST | |
|
5.3
|
MEDIUM | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N |
3.9
|
1.4
|
NIST |
CWE ids for CVE-2016-1000111
-
The web application does not adequately enforce appropriate authorization on all restricted URLs, scripts, or files.Assigned by: nvd@nist.gov (Primary)
References for CVE-2016-1000111
-
https://twistedmatrix.com/trac/ticket/8623
#8623 (Mitigate CVE-2016-1000111 ("httpoxy")) – TwistedPatch;Vendor Advisory
-
http://www.oracle.com/technetwork/topics/security/linuxbulletinoct2016-3090545.html
Oracle Linux Bulletin - October 2016Third Party Advisory
-
https://twistedmatrix.com/pipermail/twisted-web/2016-August/005268.html
[Twisted-web] Twisted 16.3.1 Release AnnouncementMailing List;Vendor Advisory
-
https://www.openwall.com/lists/oss-security/2016/07/18/6
oss-security - Re: A CGI application vulnerability for PHP, Go, Python and othersMailing List;Third Party Advisory
Jump to