yaws before 2.0.4 does not attempt to address RFC 3875 section 4.1.18 namespace conflicts and therefore does not protect CGI applications from the presence of untrusted client data in the HTTP_PROXY environment variable, which might allow remote attackers to redirect a CGI application's outbound HTTP traffic to an arbitrary proxy server via a crafted Proxy header in an HTTP request, aka an "httpoxy" issue.
References
Link | Resource |
---|---|
http://www.openwall.com/lists/oss-security/2016/07/18/6 | Mailing List Third Party Advisory |
https://github.com/klacke/yaws/commit/9d8fb070e782c95821c90d0ca7372fc6d7316c78#diff-54053c47eb173a90c26ed19bd9d106c1 | Patch Third Party Advisory |
https://raw.githubusercontent.com/distributedweaknessfiling/cvelist/master/2016/1000xxx/CVE-2016-1000108.json | Third Party Advisory |
https://security-tracker.debian.org/tracker/CVE-2016-1000108 | Third Party Advisory |
History
No history.
MITRE Information
Status: PUBLISHED
Assigner: mitre
Published: 2019-12-10T14:58:52
Updated: 2019-12-10T14:58:52
Reserved: 2016-07-18T00:00:00
Link: CVE-2016-1000108
JSON object: View
NVD Information
Status : Analyzed
Published: 2019-12-10T15:15:11.947
Modified: 2020-08-18T15:05:57.937
Link: CVE-2016-1000108
JSON object: View
Redhat Information
No data.
CWE