DEBIAN-CVE-2016-5387

DEBIAN-CVE-2016-5387 PUBLISHED CVSS 8.100000381469727 HIGH

The Apache HTTP Server through 2.4.23 follows RFC 3875 section 4.1.18 and therefore does not protect applications from the presence of untrusted client data in the HTTP_PROXY environment variable, which might allow remote attackers to redirect an application's outbound HTTP traffic to an arbitrary proxy server via a crafted Proxy header in an HTTP request, aka an "httpoxy" issue. NOTE: the vendor states "This mitigation has been assigned the identifier CVE-2016-5387"; in other words, this is not a CVE ID for a vulnerability.

Risk Scores

CVSS v3.1

8.100000381469727

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

Affected Products

Vendor	Product	Versions
Debian:14	apache2	0, 0, 0
Debian:11	apache2	0, 0, 0
Debian:12	apache2	0, 0, 0
Debian:13	apache2	0, 0, 0

Timeline

Jul 19, 2016 CVE Published
Jul 22, 2016 PoC Published
Apr 28, 2026 CVE Updated

References

https://security-tracker.debian.org/tracker/CVE-2016-5387 advisory

Open in Interactive Console →