5.3

CVE-2016-1000111

EPSS 0.58%
Published 11.03.2020 20:15:11
Last modified 25.11.2024 18:12:24
Source cve@mitre.org
Teams watchlist Login
Open Login

Twisted before 16.3.1 does not attempt to address RFC 3875 section 4.1.18 namespace conflicts and therefore does not protect CGI applications from the presence of untrusted client data in the HTTP_PROXY environment variable, which might allow remote attackers to redirect a CGI application's outbound HTTP traffic to an arbitrary proxy server via a crafted Proxy header in an HTTP request, aka an "httpoxy" issue.

Affected products Warnungen 0 Metrics 3 CWE 1 References 7

Data is provided by the National Vulnerability Database (NVD)

Twisted ≫ Twisted Version < 16.3.1

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Type	Source	Score	Percentile
EPSS	FIRST.org	0.58%	0.664

CVSS Metriken
Source	Base Score	Exploit Score	Impact Score	Vector string
nvd@nist.gov	5.3	3.9	1.4	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
nvd@nist.gov	5	10	2.9	AV:N/AC:L/Au:N/C:N/I:P/A:N

CWE-425 Direct Request ('Forced Browsing')

The web application does not adequately enforce appropriate authorization on all restricted URLs, scripts, or files.

http://www.oracle.com/technetwork/topics/security/linuxbulletinoct2016-3090545.html

Third Party Advisory

https://twistedmatrix.com/pipermail/twisted-web/2016-August/005268.html

Vendor Advisory

Mailing List

https://twistedmatrix.com/trac/ticket/8623

Patch

Vendor Advisory

https://www.openwall.com/lists/oss-security/2016/07/18/6

Third Party Advisory

Mailing List

https://nvd.nist.gov/vuln/detail/CVE-2016-1000111

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2016-1000111

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2016-1000111

EUVD