CVE-2016-1000111

Sažetak

Twisted before 16.3.1 does not attempt to address RFC 3875 section 4.1.18 namespace conflicts and therefore does not protect CGI applications from the presence of untrusted client data in the HTTP_PROXY environment variable, which might allow remote attackers to redirect a CGI application's outbound HTTP traffic to an arbitrary proxy server via a crafted Proxy header in an HTTP request, aka an "httpoxy" issue.

Reference

http://www.oracle.com/technetwork/topics/security/linuxbulletinoct2016-3090545.html
https://twistedmatrix.com/pipermail/twisted-web/2016-August/005268.html
https://twistedmatrix.com/trac/ticket/8623
https://www.openwall.com/lists/oss-security/2016/07/18/6
http://www.oracle.com/technetwork/topics/security/linuxbulletinoct2016-3090545.html
https://twistedmatrix.com/pipermail/twisted-web/2016-August/005268.html
https://twistedmatrix.com/trac/ticket/8623
https://www.openwall.com/lists/oss-security/2016/07/18/6

CVSS

Base:	5.0
Impact:	2.9
Exploitability:	10.0

Pristup

Vektor	Složenost	Autentikacija
NETWORK	LOW	NONE

Impact

Povjerljivost	Cjelovitost	Dostupnost
NONE	PARTIAL	NONE

CVSS vektor

AV:N/AC:L/Au:N/C:N/I:P/A:N

Zadnje važnije ažuriranje

25-11-2024 - 18:12

Objavljeno

11-03-2020 - 20:15