CVE-2016-1000111
Summary
| CVE | CVE-2016-1000111 |
|---|
| State | PUBLIC |
|---|
| Assigner | [email protected] |
|---|
| Source Priority | CVE Program / NVD first with legacy fallback |
|---|
| Published | 2020-03-11 20:15:00 UTC |
|---|
| Updated | 2020-03-13 20:04:00 UTC |
|---|
| Description | Twisted before 16.3.1 does not attempt to address RFC 3875 section 4.1.18 namespace conflicts and therefore does not protect CGI applications from the presence of untrusted client data in the HTTP_PROXY environment variable, which might allow remote attackers to redirect a CGI application's outbound HTTP traffic to an arbitrary proxy server via a crafted Proxy header in an HTTP request, aka an "httpoxy" issue. |
|---|
NVD Known Affected Configurations (CPE 2.3)
References
| Reference | Source | Link | Tags |
|---|
| oss-security - Re: A CGI application vulnerability for PHP, Go,
Python and others |
MISC |
www.openwall.com |
Mailing List, Third Party Advisory |
| Oracle Linux Bulletin - October 2016 |
CONFIRM |
www.oracle.com |
Third Party Advisory |
| [Twisted-web] Twisted 16.3.1 Release Announcement |
CONFIRM |
twistedmatrix.com |
Mailing List, Vendor Advisory |
| #8623 (Mitigate CVE-2016-1000111 ("httpoxy"))
– Twisted |
CONFIRM |
twistedmatrix.com |
Patch, Vendor Advisory |
| CVE Program record |
CVE.ORG |
www.cve.org |
canonical |
| NVD vulnerability detail |
NVD |
nvd.nist.gov |
canonical, analysis |
No vendor comments have been submitted for this CVE.
Legacy QID Mappings
- 501366 Alpine Linux Security Update for py3-twisted
- 981712 Python (pip) Security Update for twisted (GHSA-3gqj-cmxr-p4x2)
