CVE-2016-5387high
Description
The Apache HTTP Server through 2.4.23 follows RFC 3875 section 4.1.18 and therefore does not protect applications from the presence of untrusted client data in the HTTP_PROXY environment variable, which might allow remote attackers to redirect an application's outbound HTTP traffic to an arbitrary proxy server via a crafted Proxy header in an HTTP request, aka an "httpoxy" issue. NOTE: the vendor states "This mitigation has been assigned the identifier CVE-2016-5387"; in other words, this is not a CVE ID for a vulnerability.
References
http://www.kb.cert.org/vuls/id/797896
https://www.apache.org/security/asf-httpoxy-response.txt
http://www.securitytracker.com/id/1036330
http://www.oracle.com/technetwork/topics/security/linuxbulletinjul2016-3090544.html
http://rhn.redhat.com/errata/RHSA-2016-1650.html
http://rhn.redhat.com/errata/RHSA-2016-1648.html
http://rhn.redhat.com/errata/RHSA-2016-1649.html
http://www.oracle.com/technetwork/topics/security/bulletinoct2016-3090566.html
https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05320149
http://lists.opensuse.org/opensuse-updates/2016-07/msg00059.html
https://access.redhat.com/errata/RHSA-2016:1635
http://rhn.redhat.com/errata/RHSA-2016-1625.html
https://access.redhat.com/errata/RHSA-2016:1422
https://access.redhat.com/errata/RHSA-2016:1851
https://access.redhat.com/errata/RHSA-2016:1421
https://access.redhat.com/errata/RHSA-2016:1420
http://www.securityfocus.com/bid/91816
http://www.ubuntu.com/usn/USN-3038-1
http://rhn.redhat.com/errata/RHSA-2016-1624.html
https://access.redhat.com/errata/RHSA-2016:1636
https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05390722
http://www.debian.org/security/2016/dsa-3623
https://security.gentoo.org/glsa/201701-36
http://www.oracle.com/technetwork/security-advisory/cpujul2017-3236622.html
https://h20566.www2.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpesbhf03770en_us
https://www.tenable.com/security/tns-2017-04
https://support.apple.com/HT208221
http://www.oracle.com/technetwork/security-advisory/cpujan2018-3236628.html
https://lists.apache.org/thread.html/[email protected]%3Ccvs.httpd.apache.org%3E
https://lists.apache.org/thread.html/[email protected]%3Ccvs.httpd.apache.org%3E
https://lists.apache.org/thread.html/[email protected]%3Ccvs.httpd.apache.org%3E
https://lists.apache.org/thread.html/[email protected]%3Ccvs.httpd.apache.org%3E
https://lists.apache.org/thread.html/[email protected]%3Ccvs.httpd.apache.org%3E
https://lists.apache.org/thread.html/[email protected]%3Ccvs.httpd.apache.org%3E
https://lists.apache.org/thread.html/[email protected]%3Ccvs.httpd.apache.org%3E
https://lists.apache.org/thread.html/[email protected]%3Ccvs.httpd.apache.org%3E
https://lists.apache.org/thread.html/[email protected]%3Ccvs.httpd.apache.org%3E
https://lists.apache.org/thread.html/[email protected]%3Ccvs.httpd.apache.org%3E
https://lists.apache.org/thread.html/[email protected]%3Ccvs.httpd.apache.org%3E
https://lists.apache.org/thread.html/[email protected]%3Ccvs.httpd.apache.org%3E
https://lists.apache.org/thread.html/[email protected]%3Ccvs.httpd.apache.org%3E
https://lists.apache.org/thread.html/[email protected]%3Ccvs.httpd.apache.org%3E
https://lists.apache.org/thread.html/[email protected]%3Ccvs.httpd.apache.org%3E
https://lists.apache.org/thread.html/[email protected]%3Ccvs.httpd.apache.org%3E
https://lists.apache.org/thread.html/[email protected]%3Ccvs.httpd.apache.org%3E
https://lists.apache.org/thread.html/[email protected]%3Ccvs.httpd.apache.org%3E
https://lists.apache.org/thread.html/[email protected]%3Ccvs.httpd.apache.org%3E
https://lists.apache.org/thread.html/[email protected]%3Ccvs.httpd.apache.org%3E
https://lists.apache.org/thread.html/[email protected]%3Ccvs.httpd.apache.org%3E
Details
Source: MITRE
Published: 2016-07-19
Updated: 2022-09-07
Type: NVD-CWE-noinfo
Risk Information
CVSS v2
Base Score: 6.8
Vector: AV:N/AC:M/Au:N/C:P/I:P/A:P
Impact Score: 6.4
Exploitability Score: 8.6
Severity: MEDIUM
CVSS v3
Base Score: 8.1
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Impact Score: 5.9
Exploitability Score: 2.2
Severity: HIGH