CVE-2016-5388

Summary

CVE	CVE-2016-5388
State	PUBLIC
Assigner	[email protected]
Source Priority	CVE Program / NVD first with legacy fallback
Published	2016-07-19 02:00:00 UTC
Updated	2023-02-12 23:23:00 UTC
Description	Apache Tomcat 7.x through 7.0.70 and 8.x through 8.5.4, when the CGI Servlet is enabled, follows RFC 3875 section 4.1.18 and therefore does not protect applications from the presence of untrusted client data in the HTTP_PROXY environment variable, which might allow remote attackers to redirect an application's outbound HTTP traffic to an arbitrary proxy server via a crafted Proxy header in an HTTP request, aka an "httpoxy" issue. NOTE: the vendor states "A mitigation is planned for future releases of Tomcat, tracked as CVE-2016-5388"; in other words, this is not a CVE ID for a vulnerability.

Risk And Classification

Problem Types: CWE-284

NVD Known Affected Configurations (CPE 2.3)

Type	Vendor	Product	Version	Update	Edition	Language
Application	Apache	Tomcat	All	All	All	All
Application	Apache	Tomcat	All	All	All	All
Application	Apache	Tomcat	All	All	All	All
Application	Hp	System Management Homepage	All	All	All	All
Operating System	Oracle	Linux	6	All	All	All
Operating System	Oracle	Linux	7	All	All	All
Operating System	Oracle	Linux	6	All	All	All
Operating System	Oracle	Linux	7	All	All	All
Operating System	Redhat	Enterprise Linux Desktop	6.0	All	All	All
Operating System	Redhat	Enterprise Linux Desktop	7.0	All	All	All
Operating System	Redhat	Enterprise Linux Desktop	6.0	All	All	All
Operating System	Redhat	Enterprise Linux Desktop	7.0	All	All	All
Operating System	Redhat	Enterprise Linux Hpc Node	6.0	All	All	All
Operating System	Redhat	Enterprise Linux Hpc Node	7.0	All	All	All
Operating System	Redhat	Enterprise Linux Hpc Node	6.0	All	All	All
Operating System	Redhat	Enterprise Linux Hpc Node	7.0	All	All	All
Operating System	Redhat	Enterprise Linux Hpc Node Eus	7.2	All	All	All
Operating System	Redhat	Enterprise Linux Hpc Node Eus	7.2	All	All	All
Operating System	Redhat	Enterprise Linux Server	6.0	All	All	All
Operating System	Redhat	Enterprise Linux Server	7.0	All	All	All
Operating System	Redhat	Enterprise Linux Server	6.0	All	All	All
Operating System	Redhat	Enterprise Linux Server	7.0	All	All	All
Operating System	Redhat	Enterprise Linux Server Aus	7.2	All	All	All
Operating System	Redhat	Enterprise Linux Server Aus	7.2	All	All	All
Operating System	Redhat	Enterprise Linux Server Eus	7.2	All	All	All
Operating System	Redhat	Enterprise Linux Server Eus	7.2	All	All	All
Operating System	Redhat	Enterprise Linux Server Tus	7.2	All	All	All
Operating System	Redhat	Enterprise Linux Server Tus	7.2	All	All	All
Operating System	Redhat	Enterprise Linux Workstation	6.0	All	All	All
Operating System	Redhat	Enterprise Linux Workstation	7.0	All	All	All
Operating System	Redhat	Enterprise Linux Workstation	6.0	All	All	All
Operating System	Redhat	Enterprise Linux Workstation	7.0	All	All	All

References

Reference	Source	Link	Tags
Apache Tomcat CVE-2016-5388 Security Bypass Vulnerability	BID	www.securityfocus.com	Third Party Advisory, VDB Entry
CVE-2016-5388 - Red Hat Customer Portal	MISC	access.redhat.com
Pony Mail!	MISC	lists.apache.org
1353809 – (CVE-2016-5388) CVE-2016-5388 Tomcat: CGI sets environmental variable based on user supplied Proxy request header	MISC	bugzilla.redhat.com
Red Hat Customer Portal	MISC	access.redhat.com
Pony Mail!	MLIST	lists.apache.org
Red Hat Customer Portal	REDHAT	access.redhat.com	Third Party Advisory
Vulnerability Note VU#797896 - CGI web servers assign Proxy header values from client requests to internal HTTP_PROXY environment variables	CERT-VN	www.kb.cert.org	Third Party Advisory, US Government Resource
Pony Mail!	MLIST	lists.apache.org
Red Hat Customer Portal	REDHAT	rhn.redhat.com	Third Party Advisory
Document Display \| HPE Support Center	CONFIRM	h20566.www2.hpe.com	Third Party Advisory
Document Display \| HPE Support Center	CONFIRM	h20566.www2.hpe.com	Third Party Advisory
httpoxy	MISC	httpoxy.org	Third Party Advisory
Apache Tomcat CGI Application "Proxy:" Header Processing Flaw Lets Remote Users Redirect the Target CGI Application Requests to an Arbitrary Web Proxy in Certain Cases - SecurityTracker	SECTRACK	www.securitytracker.com	Third Party Advisory, VDB Entry, Vendor Advisory
Document Display \| HPE Support Center	CONFIRM	h20566.www2.hpe.com	Third Party Advisory
Oracle Linux Bulletin - October 2016	CONFIRM	www.oracle.com	Third Party Advisory
Red Hat Customer Portal	REDHAT	access.redhat.com	Third Party Advisory
Pony Mail!	MISC	lists.apache.org
Pony Mail!	MISC	lists.apache.org
Pony Mail!	MISC	lists.apache.org
Red Hat Customer Portal	REDHAT	rhn.redhat.com	Third Party Advisory
Pony Mail!	MISC	lists.apache.org
Red Hat Customer Portal	MISC	access.redhat.com
openSUSE-SU-2016:2252-1: moderate: Security update for tomcat	SUSE	lists.opensuse.org	Third Party Advisory
Pony Mail!	MLIST	lists.apache.org
www.apache.org/security/asf-httpoxy-response.txt	CONFIRM	www.apache.org	Vendor Advisory
Pony Mail!	MLIST	lists.apache.org
Pony Mail!	MISC	lists.apache.org
[SECURITY] [DLA 1883-1] tomcat8 security update	MLIST	lists.debian.org
Pony Mail!	MLIST	lists.apache.org
Pony Mail!	MLIST	lists.apache.org
Red Hat Customer Portal - Access to 24x7 support and knowledge	MISC	access.redhat.com
Red Hat Customer Portal	REDHAT	rhn.redhat.com	Third Party Advisory
Document Display \| HPE Support Center	CONFIRM	h20566.www2.hpe.com	Third Party Advisory
Apache Tomcat 7 (7.0.73) - Changelog	CONFIRM	tomcat.apache.org	Release Notes, Vendor Advisory
Oracle Critical Patch Update - July 2017	CONFIRM	www.oracle.com	Patch, Third Party Advisory
CVE Program record	CVE.ORG	www.cve.org	canonical
NVD vulnerability detail	NVD	nvd.nist.gov	canonical, analysis

No vendor comments have been submitted for this CVE.

There are currently no legacy QID mappings associated with this CVE.