CVE-2016-1000111: 
Python vulnerability analysis and mitigation

CVE-2016-1000111 affects Twisted versions before 16.3.1. The vulnerability relates to the handling of HTTP_PROXY environment variable in CGI scripts. The issue was discovered by Scott Geary from VendHQ and was fixed in Twisted 16.3.1 released in August 2016 (Red Hat Advisory, Debian Tracker).

The vulnerability occurs because Twisted does not attempt to address RFC 3875 section 4.1.18 namespace conflicts and therefore does not protect CGI applications from the presence of untrusted client data in the HTTP_PROXY environment variable. The vulnerability has a CVSS v3.1 base score of 5.3 (MEDIUM) with vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N (NVD).

A remote attacker could potentially use this vulnerability to redirect HTTP requests performed by a CGI script to an attacker-controlled proxy via a malicious HTTP request. This allows the attacker to intercept and potentially modify outbound HTTP traffic from the affected CGI application (Red Hat Advisory).

The vulnerability was fixed in Twisted version 16.3.1. After applying the fix, python-twisted-web no longer passes the value of the Proxy request header to scripts via the HTTP_PROXY environment variable. Users are advised to upgrade to version 16.3.1 or later (Twisted Announcement).

The vulnerability was part of a broader class of CGI application vulnerabilities affecting multiple languages and frameworks including PHP, Go, Python and others. It was tracked as part of the 'httpoxy' vulnerability set which resulted in multiple CVEs being assigned to different affected software (OSS Security).