Fluid Attacks Database

Description

Forced Browsing in Twisted Twisted before 16.3.1 does not attempt to address RFC 3875 section 4.1.18 namespace conflicts and therefore does not protect CGI applications from the presence of untrusted client data in the HTTP_PROXY environment variable, which might allow remote attackers to redirect a CGI application's outbound HTTP traffic to an arbitrary proxy server via a crafted Proxy header in an HTTP request, aka an httpoxy issue.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version	Patched versions
pypi	twisted	>=0 <16.3.1	16.3.1
debian 14	twisted	>=0 <16.4.0-1	16.4.0-1
debian 13	twisted	>=0 <16.4.0-1	16.4.0-1
debian 12	twisted	>=0 <16.4.0-1	16.4.0-1
debian 11	twisted	>=0 <16.4.0-1	16.4.0-1
rpm rhel7	python-twisted-web	<0:12.1.0-5.el7_2	0:12.1.0-5.el7_2
rpm rhel6	python-twisted-web	<0:8.2.0-5.el6_8	0:8.2.0-5.el6_8

Aliases

1. CVE-2016-10001112. NVD-2016-10001113. OSV-2016-10001114. OSV-DEBIAN-2016-10001115. GCVE-2016-10001116. SECURITY-TRACKER-CVE-2016-1000111

References

1. https://github.com/pypa/advisory-database/tree/main/vulns/twisted/PYSEC-2020-214.yaml2. https://twistedmatrix.com/pipermail/twisted-web/2016-August/005268.html3. https://twistedmatrix.com/trac/ticket/86234. https://www.openwall.com/lists/oss-security/2016/07/18/65. http://www.oracle.com/technetwork/topics/security/linuxbulletinoct2016-3090545.html

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.