CVE-2016-1000111
MEDIUMTwisted < 16.3.1 - Remote Proxy Redirection via HTTP_PROXY Environment Variable
Title source: llmDescription
Twisted before 16.3.1 does not attempt to address RFC 3875 section 4.1.18 namespace conflicts and therefore does not protect CGI applications from the presence of untrusted client data in the HTTP_PROXY environment variable, which might allow remote attackers to redirect a CGI application's outbound HTTP traffic to an arbitrary proxy server via a crafted Proxy header in an HTTP request, aka an "httpoxy" issue.
References (4)
Core 4
Core References
Third Party Advisory x_refsource_confirm
http://www.oracle.com/technetwork/topics/security/linuxbulletinoct2016-3090545.html
Mailing List, Third Party Advisory x_refsource_misc
https://www.openwall.com/lists/oss-security/2016/07/18/6
Patch, Vendor Advisory x_refsource_confirm
https://twistedmatrix.com/trac/ticket/8623
Mailing List, Vendor Advisory x_refsource_confirm
https://twistedmatrix.com/pipermail/twisted-web/2016-August/005268.html
Scores
CVSS v3
5.3
EPSS
0.0241
EPSS Percentile
81.9%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Details
CWE
CWE-425
Status
published
Products (2)
pypi/Twisted
0 - 16.3.1PyPI
twisted/twisted
< 16.3.1
Published
Mar 11, 2020
Tracked Since
Feb 18, 2026