Twisted before 16.3.1 does not attempt to address RFC 3875 section 4.1.18 namespace conflicts and therefore does not protect CGI applications from the presence of untrusted client data in the HTTP_PROXY environment variable, which might allow remote attackers to redirect a CGI application's outbound HTTP traffic to an arbitrary proxy server via a crafted Proxy header in an HTTP request, aka an "httpoxy" issue.
Advisories
Source ID Title
EUVD EUVD EUVD-2020-0227 Twisted before 16.3.1 does not attempt to address RFC 3875 section 4.1.18 namespace conflicts and therefore does not protect CGI applications from the presence of untrusted client data in the HTTP_PROXY environment variable, which might allow remote attackers to redirect a CGI application's outbound HTTP traffic to an arbitrary proxy server via a crafted Proxy header in an HTTP request, aka an \"httpoxy\" issue.
Github GHSA Github GHSA GHSA-3gqj-cmxr-p4x2 Forced Browsing in Twisted
Ubuntu USN Ubuntu USN USN-3585-1 Twisted vulnerability
Fixes

Solution

No solution given by the vendor.


Workaround

No workaround given by the vendor.

History

Mon, 25 Nov 2024 18:30:00 +0000

Type Values Removed Values Added
First Time appeared Twisted
Twisted twisted
CPEs cpe:2.3:a:twistedmatrix:twisted:*:*:*:*:*:*:*:* cpe:2.3:a:twisted:twisted:*:*:*:*:*:*:*:*
Vendors & Products Twistedmatrix
Twistedmatrix twisted
Twisted
Twisted twisted

cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2024-08-06T03:55:26.416Z

Reserved: 2016-07-18T00:00:00

Link: CVE-2016-1000111

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Modified

Published: 2020-03-11T20:15:11.960

Modified: 2024-11-25T18:12:24.673

Link: CVE-2016-1000111

cve-icon Redhat

Severity : Important

Publid Date: 2016-07-18T00:00:00Z

Links: CVE-2016-1000111 - Bugzilla

cve-icon OpenCVE Enrichment

No data.