[Forgot Password]
Login  Register Subscribe

24128

 
 

131573

 
 

110507

 
 

909

 
 

86504

 
 

136

Paid content will be excluded from the download.


Download | Alert*
CVE
view XML view JSON

CVE-2016-5387Date: (C)2016-08-25   (M)2018-06-17


The Apache HTTP Server through 2.4.23 follows RFC 3875 section 4.1.18 and therefore does not protect applications from the presence of untrusted client data in the HTTP_PROXY environment variable, which might allow remote attackers to redirect an application's outbound HTTP traffic to an arbitrary proxy server via a crafted Proxy header in an HTTP request, aka an "httpoxy" issue. NOTE: the vendor states "This mitigation has been assigned the identifier CVE-2016-5387"; in other words, this is not a CVE ID for a vulnerability.

CVSS Score and Metrics +CVSS Score and Metrics -

CVSS V3 Severity:CVSS V2 Severity:
CVSS Score : 8.1CVSS Score : 5.1
Exploit Score: 2.2Exploit Score: 4.9
Impact Score: 5.9Impact Score: 6.4
 
CVSS V3 Metrics:CVSS V2 Metrics:
Attack Vector: NETWORKAccess Vector: NETWORK
Attack Complexity: HIGHAccess Complexity: HIGH
Privileges Required: NONEAuthentication: NONE
User Interaction: NONEConfidentiality: PARTIAL
Scope: UNCHANGEDIntegrity: PARTIAL
Confidentiality: HIGHAvailability: PARTIAL
Integrity: HIGH 
Availability: HIGH 
  
Reference:
SECTRACK-1036330
BID-91816
DSA-3623
FEDORA-2016-683d0b257b
FEDORA-2016-9fd9bfab9e
FEDORA-2016-a29c65b00f
FEDORA-2016-df0726ae26
GLSA-201701-36
RHSA-2016:1420
RHSA-2016:1421
RHSA-2016:1422
RHSA-2016:1624
RHSA-2016:1625
RHSA-2016:1635
RHSA-2016:1636
RHSA-2016:1648
RHSA-2016:1649
RHSA-2016:1650
RHSA-2016:1851
USN-3038-1
VU#797896
http://www.oracle.com/technetwork/security-advisory/cpujan2018-3236628.html
http://www.oracle.com/technetwork/security-advisory/cpujul2017-3236622.html
http://www.oracle.com/technetwork/topics/security/bulletinoct2016-3090566.html
http://www.oracle.com/technetwork/topics/security/linuxbulletinjul2016-3090544.html
https://h20566.www2.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpesbhf03770en_us
https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05320149
https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05390722
https://httpoxy.org/
https://support.apple.com/HT208221
https://www.apache.org/security/asf-httpoxy-response.txt
https://www.tenable.com/security/tns-2017-04
openSUSE-SU-2016:1824

CPE    5
cpe:/a:apache:http_server:2.4.23
cpe:/o:fedoraproject:fedora:23
cpe:/o:fedoraproject:fedora:24
cpe:/o:oracle:linux:6.0
...
CWE    1
CWE-284
OVAL    22
oval:org.secpod.oval:def:39596
oval:org.secpod.oval:def:602561
oval:org.secpod.oval:def:501848
oval:org.secpod.oval:def:501849
...

© SecPod Technologies