CVE-2016-5386

MEDIUM

Description

The net/http package in Go through 1.6 does not attempt to address RFC 3875 section 4.1.18 namespace conflicts and therefore does not protect CGI applications from the presence of untrusted client data in the HTTP_PROXY environment variable, which might allow remote attackers to redirect a CGI application's outbound HTTP traffic to an arbitrary proxy server via a crafted Proxy header in an HTTP request, aka an "httpoxy" issue.

References

http://rhn.redhat.com/errata/RHSA-2016-1538.html

http://www.kb.cert.org/vuls/id/797896

http://www.oracle.com/technetwork/security-advisory/cpujul2017-3236622.html

http://www.oracle.com/technetwork/topics/security/linuxbulletinjul2016-3090544.html

https://bugzilla.redhat.com/show_bug.cgi?id=1353798

https://h20566.www2.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpesbhf03770en_us

https://httpoxy.org/

https://lists.fedoraproject.org/archives/list/[email protected]/message/7WGHKKCFP4PLVSWQKCM3FJJPEWB5ZNTU/

https://lists.fedoraproject.org/archives/list/[email protected]/message/OR52UXGM6RKSCWF3KQMVZGVZVJ3WEESJ/

Details

Source: MITRE

Published: 2016-07-19

Updated: 2017-08-25

Type: CWE-284

Risk Information

CVSS v2.0

Base Score: 6.8

Vector: AV:N/AC:M/Au:N/C:P/I:P/A:P

Impact Score: 6.4

Exploitability Score: 8.6

Severity: MEDIUM

CVSS v3.0

Base Score: 8.1

Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

Impact Score: 5.9

Exploitability Score: 2.2

Severity: HIGH