HTTP Proxy Vulnerability in Erlang's Inets Module
CVE-2016-1000107

6.1MEDIUM

Key Information:

Vendor

Erlang

Status
Erlang\/otp
Vendor
CVE Published:
10 December 2019

What is CVE-2016-1000107?

The Erlang Inets module, particularly in versions 22.1 and earlier, has a vulnerability related to improper handling of the HTTP_PROXY environment variable. Following RFC 3875 section 4.1.18, it does not adequately safeguard applications from untrusted client data. This oversight allows malicious actors to exploit crafted Proxy headers in HTTP requests, potentially redirecting an application's outbound HTTP traffic to arbitrary proxy servers, leading to unauthorized access and manipulation of data. For further details, visit the resources at http://httpoxy.org/ and the Debian Security Tracker.

References

https://httpoxy.org/
x_refsource_MISC
https://security-tracker.debian.org/tracker/CVE-2016-1000107
x_refsource_MISC
http://www.openwall.com/lists/oss-security/2016/07/18/6
x_refsource_MISC

CVSS V3.1

Score:
6.1
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
Low
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
Required
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.