Upstream information
Description
yaws before 2.0.4 does not attempt to address RFC 3875 section 4.1.18 namespace conflicts and therefore does not protect CGI applications from the presence of untrusted client data in the HTTP_PROXY environment variable, which might allow remote attackers to redirect a CGI application's outbound HTTP traffic to an arbitrary proxy server via a crafted Proxy header in an HTTP request, aka an "httpoxy" issue.SUSE information
Overall state of this security issue: Does not affect SUSE products
This issue is currently rated as having moderate severity.
| National Vulnerability Database | SUSE | |
|---|---|---|
| Base Score | 5.8 | 5 |
| Vector | AV:N/AC:M/Au:N/C:P/I:P/A:N | AV:N/AC:L/Au:N/C:N/I:P/A:N |
| Access Vector | Network | Network |
| Access Complexity | Medium | Low |
| Authentication | None | None |
| Confidentiality Impact | Partial | None |
| Integrity Impact | Partial | Partial |
| Availability Impact | None | None |
| National Vulnerability Database | |
|---|---|
| Base Score | 6.1 |
| Vector | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N |
| Attack Vector | Network |
| Attack Complexity | Low |
| Privileges Required | None |
| User Interaction | Required |
| Scope | Changed |
| Confidentiality Impact | Low |
| Integrity Impact | Low |
| Availability Impact | None |
| CVSSv3 Version | 3.1 |
SUSE Timeline for this CVE
CVE page created: Mon Jul 18 17:15:22 2016CVE page last modified: Wed Oct 26 20:19:46 2022