CVE-2016-1000111

MEDIUM

Twisted <16.3.1 - SSRF

Title source: llm

Description

Twisted before 16.3.1 does not attempt to address RFC 3875 section 4.1.18 namespace conflicts and therefore does not protect CGI applications from the presence of untrusted client data in the HTTP_PROXY environment variable, which might allow remote attackers to redirect a CGI application's outbound HTTP traffic to an arbitrary proxy server via a crafted Proxy header in an HTTP request, aka an "httpoxy" issue.

References (4)

[Third Party Advisory] http://www.oracle.com/technetwork/topics/security/linuxbulletinoct2016-3090545.html

[Mailing List, Third Party Advisory] https://www.openwall.com/lists/oss-security/2016/07/18/6

[Patch, Vendor Advisory] https://twistedmatrix.com/trac/ticket/8623

[Mailing List, Vendor Advisory] https://twistedmatrix.com/pipermail/twisted-web/2016-August/005268.html

Scores

CVSS v3 5.3

EPSS 0.0058

EPSS Percentile 69.1%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

Details

CWE

CWE-425

Status published

Products (2)

pypi/Twisted 0 - 16.3.1PyPI

twisted/twisted < 16.3.1

Published Mar 11, 2020

Tracked Since Feb 18, 2026