Detections
Analytics
CVE-2016-5387
high
Description
The Apache HTTP Server through 2.4.23 follows RFC 3875 section 4.1.18 and therefore does not protect applications from the presence of untrusted client data in the HTTP_PROXY environment variable, which might allow remote attackers to redirect an application's outbound HTTP traffic to an arbitrary proxy server via a crafted Proxy header in an HTTP request, aka an "httpoxy" issue. NOTE: the vendor states "This mitigation has been assigned the identifier CVE-2016-5387"; in other words, this is not a CVE ID for a vulnerability.
References
https://www.tenable.com/security/tns-2017-04
https://support.apple.com/HT208221
https://security.gentoo.org/glsa/201701-36
https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05390722
https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05320149
https://h20566.www2.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpesbhf03770en_us
https://access.redhat.com/errata/RHSA-2016:1851
https://access.redhat.com/errata/RHSA-2016:1636
https://access.redhat.com/errata/RHSA-2016:1635
https://access.redhat.com/errata/RHSA-2016:1422
https://access.redhat.com/errata/RHSA-2016:1421
https://access.redhat.com/errata/RHSA-2016:1420
http://www.ubuntu.com/usn/USN-3038-1
http://www.securityfocus.com/bid/91816
http://www.oracle.com/technetwork/topics/security/linuxbulletinjul2016-3090544.html
http://www.oracle.com/technetwork/topics/security/bulletinoct2016-3090566.html
http://www.oracle.com/technetwork/security-advisory/cpujul2017-3236622.html
http://www.oracle.com/technetwork/security-advisory/cpujan2018-3236628.html
http://www.kb.cert.org/vuls/id/797896
http://www.debian.org/security/2016/dsa-3623
http://rhn.redhat.com/errata/RHSA-2016-1649.html
http://rhn.redhat.com/errata/RHSA-2016-1648.html
http://lists.opensuse.org/opensuse-updates/2016-07/msg00059.html