1. Home
  2. Vulnerabilities
  3. CVE-2016-5388

CVE-2016-5388

CVSS v3.0 8.1 (High)
81% Progress
CVSS v2.0 5.1 (Medium)
51% Progress
EPSS 94.82 % (99th)
94.82% Progress
Affected Products 11
Advisories 17
Info CVSS EPSS CAPEC Affected Configurations References Security Advisories Packages & Software OVAL Tools, Exploits & PoC Graph Web & Social Timeline

Apache Tomcat 7.x through 7.0.70 and 8.x through 8.5.4, when the CGI Servlet is enabled, follows RFC 3875 section 4.1.18 and therefore does not protect applications from the presence of untrusted client data in the HTTP_PROXY environment variable, which might allow remote attackers to redirect an application's outbound HTTP traffic to an arbitrary proxy server via a crafted Proxy header in an HTTP request, aka an "httpoxy" issue. NOTE: the vendor states "A mitigation is planned for future releases of Tomcat, tracked as CVE-2016-5388"; in other words, this is not a CVE ID for a vulnerability.

Weaknesses
CWE-284
Improper Access Control
Related CVEs
CVE Status
PUBLISHED
CNA
Red Hat, Inc.
Published Date
2016-07-19 02:00:20
(8 years ago)
Updated Date
2023-02-12 23:23:33
(19 months ago)

Affected Products

Apache

Hp

Oracle

Redhat

Configuration #1

    CPE23 From Up To
  Redhat Enterprise Linux Desktop 7.0 cpe:2.3:o:redhat:enterprise_linux_desktop:7.0
  Redhat Enterprise Linux Hpc Node 7.0 cpe:2.3:o:redhat:enterprise_linux_hpc_node:7.0
  Redhat Enterprise Linux Hpc Node Eus 7.2 cpe:2.3:o:redhat:enterprise_linux_hpc_node_eus:7.2
  Redhat Enterprise Linux Server 7.0 cpe:2.3:o:redhat:enterprise_linux_server:7.0
  Redhat Enterprise Linux Server Aus 7.2 cpe:2.3:o:redhat:enterprise_linux_server_aus:7.2
  Redhat Enterprise Linux Server Eus 7.2 cpe:2.3:o:redhat:enterprise_linux_server_eus:7.2
  Redhat Enterprise Linux Server Tus 7.2 cpe:2.3:o:redhat:enterprise_linux_server_tus:7.2
  Redhat Enterprise Linux Workstation 7.0 cpe:2.3:o:redhat:enterprise_linux_workstation:7.0

Configuration #2

    CPE23 From Up To
  Hp System Management Homepage 7.5.5.0 and prior versions cpe:2.3:a:hp:system_management_homepage <= 7.5.5.0

Configuration #3

    CPE23 From Up To
  Redhat Enterprise Linux Desktop 6.0 cpe:2.3:o:redhat:enterprise_linux_desktop:6.0
  Redhat Enterprise Linux Hpc Node 6.0 cpe:2.3:o:redhat:enterprise_linux_hpc_node:6.0
  Redhat Enterprise Linux Server 6.0 cpe:2.3:o:redhat:enterprise_linux_server:6.0
  Redhat Enterprise Linux Workstation 6.0 cpe:2.3:o:redhat:enterprise_linux_workstation:6.0

Configuration #4

    CPE23 From Up To
  Oracle Linux 6 cpe:2.3:o:oracle:linux:6
  Oracle Linux 7 cpe:2.3:o:oracle:linux:7

Configuration #5

    CPE23 From Up To
  Apache Tomcat from 6.0 version and 6.0.45 and prior versions cpe:2.3:a:apache:tomcat >= 6.0 <= 6.0.45
  Apache Tomcat from 7.0 version and 7.0.70 and prior versions cpe:2.3:a:apache:tomcat >= 7.0 <= 7.0.70
  Apache Tomcat from 8.0 version and 8.5.4 and prior versions cpe:2.3:a:apache:tomcat >= 8.0 <= 8.5.4