Your submission was sent successfully! Close


Published: 18 July 2016

Twisted before 16.3.1 does not attempt to address RFC 3875 section 4.1.18 namespace conflicts and therefore does not protect CGI applications from the presence of untrusted client data in the HTTP_PROXY environment variable, which might allow remote attackers to redirect a CGI application's outbound HTTP traffic to an arbitrary proxy server via a crafted Proxy header in an HTTP request, aka an "httpoxy" issue.



CVSS 3 base score: 5.3


Package Release Status
Launchpad, Ubuntu, Debian
artful Not vulnerable
bionic Not vulnerable
cosmic Not vulnerable
disco Not vulnerable
precise Not vulnerable
(code not present)
Released (13.2.0-1ubuntu1.2)
upstream Needed

wily Ignored
(reached end-of-life)
Released (16.0.0-1ubuntu0.2)
yakkety Ignored
(reached end-of-life)
zesty Ignored
(reached end-of-life)
Launchpad, Ubuntu, Debian
artful Does not exist

bionic Does not exist

cosmic Does not exist

disco Does not exist

precise Does not exist

trusty Does not exist
(trusty was needed)
upstream Needed

wily Ignored
(reached end-of-life)
xenial Does not exist

yakkety Does not exist

zesty Does not exist