CVE-2016-1000111: Forced Browsing in Twisted
5.3
CVSS Score
3.1
Basic Information
CVE ID
GHSA ID
EPSS Score
0.68051%
CWE
Published
4/30/2021
Updated
11/18/2024
KEV Status
No
Technology
Python
Technical Details
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
| Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
|---|---|---|---|
| twisted | pip | < 16.3.1 | 16.3.1 |
Vulnerability Intelligence
Miggo AI
Root Cause Analysis
The vulnerability stems from how Twisted's CGI handler processes HTTP headers into environment variables. RFC 3875 section 4.1.18 requires headers to be prefixed with 'HTTP_', but 'Proxy' is a special case that conflicts with the HTTP_PROXY environment variable. The init method of CGIProcess in twcgi.py was responsible for populating the CGI environment without filtering the Proxy header, allowing untrusted client data to set HTTP_PROXY. The fix in 16.3.1 likely added filtering for this header, as seen in similar httpoxy patches across other frameworks.