[3.5] apache2: sets environmental variable based on user supplied Proxy request header (CVE-2016-5387)ID: oval:org.secpod.oval:def:1800300 | Date: (C)2018-03-28 (M)2023-12-20 |
Class: PATCH | Family: unix |
The Apache HTTP Server through 2.4.23 follows RFC 3875 section 4.1.18 and therefore does not protect applications from the presence of untrusted client data in the HTTP_PROXY environment variable, which might allow remote attackers to redirect an application"s outbound HTTP traffic to an arbitrary proxy server via a crafted Proxy header in an HTTP request, aka an " issue.
Platform: |
Alpine Linux 3.5 |