CVE-2016-6286

Name of the Vulnerable Software and Affected Versions spiffy-cgi-handlers versions prior to 0.5

Description The issue allows attackers to direct CGI programs to use an attacker-specified HTTP proxy server through a "httpoxy" attack. This occurs because the "spiffy-cgi-handlers" egg converts a nonexistent "Proxy" header to the HTTP PROXY environment variable.

Recommendations For versions prior to 0.5, update to version 0.5 or later to resolve the issue. As a temporary workaround, consider restricting the use of the HTTP PROXY environment variable in CGI programs until the update is applied.