CVE-2016-1000111
Forced Browsing in Twisted
5.3
MEDIUM
CVSS 3.1
EPSS 0.58%
Description
Twisted before 16.3.1 does not attempt to address RFC 3875 section 4.1.18 namespace conflicts and therefore does not protect CGI applications from the presence of untrusted client data in the HTTP_PROXY environment variable, which might allow remote attackers to redirect a CGI application's outbound HTTP traffic to an arbitrary proxy server via a crafted Proxy header in an HTTP request, aka an "httpoxy" issue.
How to fix CVE-2016-1000111
To remediate CVE-2016-1000111, upgrade the affected package to a fixed version below.
- —upgrade to 16.4.0-1 or later
- —upgrade to 16.3.1 or later
- —upgrade to 16.3.1 or later
Is CVE-2016-1000111 being exploited?
Low — EPSS is 0.6%, meaning exploitation activity has not been observed at scale.
Affected packages (3)
- from 0, < 16.4.0-1
- from 0, < 16.3.1
- from 0, < 16.3.1
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 4.0 | — | CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N |
| osv | CVSS 3.1 | MEDIUM5.3 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N |