VDB
RHSA-2016%3A1625
RHSA-2016%3A1625
PUBLISHED
CVSS 5 MEDIUM
It was discovered that httpd used the value of the Proxy header from HTTP requests to initialize the HTTP_PROXY environment variable for CGI scripts, which in turn was incorrectly used by certain HTTP client implementations to configure the proxy for outgoing HTTP requests. A remote attacker could possibly use this flaw to redirect HTTP requests performed by a CGI script to an attacker-controlled proxy via a malicious HTTP request.
Risk Scores
CVSS 3.0
5
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:L/A:N
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Red Hat | Text-Only JBCS |
Timeline
- Jul 22, 2016 PoC Published
- Aug 17, 2016 CVE Published
- Apr 30, 2026 Distribution Patch
- Apr 30, 2026 Distribution Patch
- Apr 30, 2026 Security Advisory
- Apr 30, 2026 Security Advisory
- May 14, 2026 CVE Updated
References
- https://access.redhat.com/errata/RHSA-2016:1625 advisory
- https://access.redhat.com/security/updates/classification/#important advisory
- https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=core.service.apachehttp&downloadType=securityPatches&version=2.4.6 advisory
- https://access.redhat.com/security/vulnerabilities/httpoxy advisory
- https://bugzilla.redhat.com/show_bug.cgi?id=1353755 issue
- https://security.access.redhat.com/data/csaf/v2/advisories/2016/rhsa-2016_1625.json advisory
- https://access.redhat.com/security/cve/CVE-2016-5387 advisory
- https://www.cve.org/CVERecord?id=CVE-2016-5387 advisory
- https://nvd.nist.gov/vuln/detail/CVE-2016-5387 advisory
- https://httpoxy.org/ advisory
- https://www.apache.org/security/asf-httpoxy-response.txt advisory