CVE-2016-1000108

Name of the Vulnerable Software and Affected Versions yaws versions prior to 2.0.4

Description The issue arises from the failure to address RFC 3875 section 4.1.18 namespace conflicts, which leaves CGI applications unprotected from untrusted client data in the HTTP PROXY environment variable. This could allow remote attackers to redirect a CGI application's outbound HTTP traffic to an arbitrary proxy server via a crafted Proxy header in an HTTP request.

Recommendations For versions prior to 2.0.4, update to version 2.0.4 or later to resolve the issue. As a temporary workaround, consider restricting access to the HTTP PROXY environment variable to minimize the risk of exploitation.