CVE-2016-5388

high
New! CVE Severity Now Using CVSS v3

The calculated severity for CVEs has been updated to use CVSS v3 by default. CVEs that do not have a CVSS v3 score will fall back CVSS v2 for calculating severity. Severity display preferences can be toggled in the settings dropdown.

Description

Apache Tomcat 7.x through 7.0.70 and 8.x through 8.5.4, when the CGI Servlet is enabled, follows RFC 3875 section 4.1.18 and therefore does not protect applications from the presence of untrusted client data in the HTTP_PROXY environment variable, which might allow remote attackers to redirect an application's outbound HTTP traffic to an arbitrary proxy server via a crafted Proxy header in an HTTP request, aka an "httpoxy" issue. NOTE: the vendor states "A mitigation is planned for future releases of Tomcat, tracked as CVE-2016-5388"; in other words, this is not a CVE ID for a vulnerability.

References

http://lists.opensuse.org/opensuse-updates/2016-09/msg00025.html

http://rhn.redhat.com/errata/RHSA-2016-1624.html

http://rhn.redhat.com/errata/RHSA-2016-2045.html

http://rhn.redhat.com/errata/RHSA-2016-2046.html

http://www.kb.cert.org/vuls/id/797896

http://www.oracle.com/technetwork/security-advisory/cpujul2017-3236622.html

http://www.oracle.com/technetwork/topics/security/linuxbulletinoct2016-3090545.html

http://www.securityfocus.com/bid/91818

http://www.securitytracker.com/id/1036331

https://access.redhat.com/errata/RHSA-2016:1635

https://access.redhat.com/errata/RHSA-2016:1636

https://h20566.www2.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpesbhf03770en_us

https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05320149

https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05324759

https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05390722

https://httpoxy.org/

https://lists.apache.org/thread.html/[email protected]%3Cissues.activemq.apache.org%3E

https://lists.apache.org/thread.html/[email protected]%3Cissues.activemq.apache.org%3E

https://lists.apache.org/thread.html/[email protected]%3Cissues.activemq.apache.org%3E

https://lists.apache.org/thread.html/[email protected]%3Cusers.tomcat.apache.org%3E

https://lists.apache.org/thread.html/[email protected]%3Cusers.tomcat.apache.org%3E

https://lists.apache.org/thread.html/[email protected]%3Cusers.tomcat.apache.org%3E

https://lists.debian.org/debian-lts-announce/2019/08/msg00015.html

https://tomcat.apache.org/tomcat-7.0-doc/changelog.html

https://www.apache.org/security/asf-httpoxy-response.txt

Details

Source: MITRE

Published: 2016-07-19

Updated: 2020-08-14

Type: CWE-284

Risk Information

CVSS v2

Base Score: 5.1

Vector: AV:N/AC:H/Au:N/C:P/I:P/A:P

Impact Score: 6.4

Exploitability Score: 4.9

Severity: MEDIUM

CVSS v3

Base Score: 8.1

Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

Impact Score: 5.9

Exploitability Score: 2.2

Severity: HIGH

Tenable Plugins

View all (22 total)

IDNameProductFamilySeverity
127865Debian DLA-1883-1 : tomcat8 security update (httpoxy)NessusDebian Local Security Checks
critical
101837Oracle Enterprise Manager Grid Control Multiple Vulnerabilities (July 2017 CPU) (httpoxy)NessusMisc.
critical
99812EulerOS 2.0 SP1 : tomcat (EulerOS-SA-2016-1049)NessusHuawei Local Security Checks
high
96978Ubuntu 12.04 LTS / 14.04 LTS : tomcat6, tomcat7 regression (USN-3177-2) (httpoxy)NessusUbuntu Local Security Checks
critical
96720Ubuntu 12.04 LTS / 14.04 LTS / 16.04 LTS / 16.10 : tomcat6, tomcat7, tomcat8 vulnerabilities (USN-3177-1) (httpoxy)NessusUbuntu Local Security Checks
critical
94997Fedora 25 : 1:tomcat (2016-38e5b05260) (httpoxy)NessusFedora Local Security Checks
high
94748Fedora 24 : 1:tomcat (2016-c1b01b9278) (httpoxy)NessusFedora Local Security Checks
high
94747Fedora 23 : 1:tomcat (2016-4094bd4ad6) (httpoxy)NessusFedora Local Security Checks
high
94654HP System Management Homepage < 7.6 Multiple Vulnerabilities (HPSBMU03653) (httpoxy)NessusWeb Servers
high
94005Scientific Linux Security Update : tomcat on SL7.x (noarch) (20161010) (httpoxy)NessusScientific Linux Local Security Checks
high
94004Scientific Linux Security Update : tomcat6 on SL6.x (noarch) (20161010) (httpoxy)NessusScientific Linux Local Security Checks
high
93966CentOS 7 : tomcat (CESA-2016:2046) (httpoxy)NessusCentOS Local Security Checks
high
93965CentOS 6 : tomcat6 (CESA-2016:2045) (httpoxy)NessusCentOS Local Security Checks
high
93951RHEL 7 : tomcat (RHSA-2016:2046) (httpoxy)NessusRed Hat Local Security Checks
high
93950RHEL 6 : tomcat6 (RHSA-2016:2045) (httpoxy)NessusRed Hat Local Security Checks
high
93948Oracle Linux 7 : tomcat (ELSA-2016-2046) (httpoxy)NessusOracle Linux Local Security Checks
high
93947Oracle Linux 6 : tomcat6 (ELSA-2016-2045) (httpoxy)NessusOracle Linux Local Security Checks
high
93362openSUSE Security Update : tomcat (openSUSE-2016-1056) (httpoxy)NessusSuSE Local Security Checks
high
93044RHEL 6 : Red Hat JBoss Web Server 3.0.3 Service Pack 1 (RHSA-2016:1636) (httpoxy)NessusRed Hat Local Security Checks
high
93043RHEL 7 : Red Hat JBoss Web Server 3.0.3 Service Pack 1 (RHSA-2016:1635) (httpoxy)NessusRed Hat Local Security Checks
high
92539HTTP_PROXY Environment Variable Namespace Collision Vulnerability (httpoxy)NessusWeb Servers
high
92469Amazon Linux AMI : tomcat6 / tomcat7,tomcat8 (ALAS-2016-722) (httpoxy)NessusAmazon Linux Local Security Checks
high