Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
cloudfoundryCloud FoundryCFOUNDRY:1EE86C629ABCD63B886F991BBE5E0A75
HistoryDec 21, 2016 - 12:00 a.m.

Multiple CVEs: httpoxy | Cloud Foundry

2016-12-2100:00:00
Cloud Foundry
www.cloudfoundry.org
40

0.936 High

EPSS

Percentile

99.1%

JSON

Multiple CVEs: httpoxy

Low

Vendor

Cloud Foundry

Versions Affected

  • Go Buildpack versions prior to 1.7.10
  • PHP Buildpack versions prior to 4.3.17

Description

httpoxy is a set of vulnerabilities that affect application code running in CGI, or CGI-like environments. It involves to a namespace conflict which leads to a remotely exploitable vulnerability. httpoxy is a vulnerability for server-side web applications that may allow an attacker to proxy the outgoing HTTP requests made by the web application, direct the server to open outgoing connections to an address and port of their choosing, or tie up server resources by forcing the vulnerable software to use a malicious proxy.

Multiple CVEs were released for httpoxy, including the following that affected Cloud Foundry.

  • CVE-2016-5385: PHP
  • CVE-2016-5386: Go
  • CVE-2016-5387: Apache HTTP Server

Mitigation

Users of affected versions should apply the following mitigation:

  • Upgrade the Go Buildpack to the latest version [2] and restage all applications that use automated buildpack detection.
  • Upgrade the PHP Buildpack to the latest version [3] and restage all applications that use automated buildpack detection.

References

Related

ibm 8
cert 1
checkpoint_advisories 1
threatpost 1
nessus 45
openvas 43
impervablog 1
fedora 12
prion 4
ubuntucve 5
nvd 5
oraclelinux 5
friendsofphp 9
redhatcve 4
github 1
veracode 3
amazon 2
f5 5
huawei 1
cve 5
debiancve 2
centos 4
redhat 10
cvelist 3
mageia 3
debian 3
osv 3
typo3 4
gitlab 1
httpd 2
ubuntu 1
alpinelinux 1
archlinux 1
ibm
ibm
Security Bulletin: Multiple vulnerabilities in Apache Tomcat affect SAN Volume Controller, Storwize family and FlashSystem V9000 products
2023-03-29 01:48:02
Security Bulletin: Vulnerabilities in Apache Tomcat affect the IBM FlashSystem model V840
2018-06-18 00:32:31
Security Bulletin: Vulnerabilities in Apache Tomcat affect the IBM FlashSystem models 840 and 900
2023-02-18 01:45:50
cert
cert
CGI web servers assign Proxy header values from client requests to internal HTTP_PROXY environment variables
2016-07-18 00:00:00
checkpoint_advisories
checkpoint_advisories
CGI Namespace Conflict Man-In-The-Middle (httpoxy; CVE-2016-1000109; CVE-2016-1000110; CVE-2016-5385; CVE-2016-5386; CVE-2016-5387; CVE-2016-5388)
2016-07-19 00:00:00
threatpost
threatpost
CGI Script Vulnerability 'Httpoxy' Allows Man-in-the-Middle Attack
2016-07-18 18:00:46
nessus
nessus
HTTP_PROXY Environment Variable Namespace Collision Vulnerability (httpoxy)
2016-07-25 00:00:00
Amazon Linux AMI : golang (ALAS-2016-731) (httpoxy)
2016-08-18 00:00:00
Fedora 24 : php-guzzlehttp-guzzle (2016-aef8a45afe) (httpoxy)
2016-07-29 00:00:00
openvas
openvas
WatchGuard Fireware XTM < 11.12.1 Multiple Vulnerabilities
2017-03-13 00:00:00
Fedora Update for php FEDORA-2016-8eb11666aa
2016-08-04 00:00:00
RedHat Update for php RHSA-2016:1613-01
2016-08-12 00:00:00
impervablog
impervablog
Python and Go Top the Chart of 2019’s Most Popular Hacking Tools
2020-05-27 09:22:21
fedora
fedora
[SECURITY] Fedora 23 Update: golang-1.5.4-2.fc23
2016-07-29 02:54:15
[SECURITY] Fedora 23 Update: php-guzzlehttp-guzzle6-6.2.1-1.fc23
2016-07-29 02:55:08
[SECURITY] Fedora 23 Update: php-guzzlehttp-guzzle-5.3.1-1.fc23
2016-07-29 02:55:03
prion
prion
Design/Logic Flaw
2016-07-19 02:00:00
Design/Logic Flaw
2016-07-19 02:00:00
Design/Logic Flaw
2016-07-19 02:00:00
ubuntucve
ubuntucve
CVE-2016-5386
2016-07-18 00:00:00
CVE-2016-5387
2016-07-18 00:00:00
CVE-2016-5385
2016-07-18 00:00:00
nvd
nvd
CVE-2016-5386
2016-07-19 02:00:18
CVE-2016-5385
2016-07-19 02:00:17
CVE-2016-5387
2016-07-19 02:00:19
oraclelinux
oraclelinux
php security update
2016-08-11 00:00:00
golang security, bug fix, and enhancement update
2016-08-02 00:00:00
php security and bug fix update
2016-08-11 00:00:00
friendsofphp
friendsofphp
HTTP Proxy header vulnerability
2018-02-12 19:47:17
HTTP Proxy header vulnerability
2018-02-12 19:47:17
HTTP Proxy header vulnerability
2016-07-18 20:27:36
redhatcve
redhatcve
CVE-2016-5385
2016-07-18 14:19:09
CVE-2016-5386
2020-04-07 16:54:43
CVE-2016-5387
2016-07-18 14:19:04
github
github
HTTP Proxy header vulnerability
2022-04-07 13:59:22
veracode
veracode
HTTPoxy Vulnerability
2017-05-03 02:22:45
Open Redirection
2019-01-15 09:12:18
Open Redirection
2019-01-15 09:12:46
amazon
amazon
Medium: golang
2016-08-17 13:30:00
Important: httpd24, httpd
2016-07-20 18:00:00
f5
f5
SOL92930514 - GO vulnerability CVE-2016-5386
2016-07-25 00:00:00
K73071205 : PHP vulnerability CVE-2016-5385
2016-07-26 00:00:00
K92930514 : GO vulnerability CVE-2016-5386
2016-07-25 00:00:00
huawei
huawei
Security Advisory - A CGI application vulnerability in Some Huawei Products
2017-11-29 00:00:00
cve
cve
CVE-2016-5385
2016-07-19 02:00:17
CVE-2016-5386
2016-07-19 02:00:18
CVE-2016-5387
2016-07-19 02:00:19
debiancve
debiancve
CVE-2016-5385
2016-07-19 02:00:00
CVE-2016-5387
2016-07-19 02:00:19
centos
centos
php security update
2016-08-11 21:20:11
php security update
2016-08-12 11:27:56
httpd, mod_ldap, mod_proxy_html, mod_session, mod_ssl security update
2016-07-18 16:26:29
redhat
redhat
(RHSA-2016:1611) Moderate: php55-php security update
2016-08-11 19:52:52
(RHSA-2016:1612) Moderate: rh-php56-php security update
2016-08-11 19:53:18
(RHSA-2016:1610) Moderate: php54-php security update
2016-08-11 19:51:58
cvelist
cvelist
CVE-2016-5385
2016-07-19 01:00:00
CVE-2016-5386
2016-07-19 01:00:00
CVE-2016-5387
2016-07-19 01:00:00
mageia
mageia
Updated golang package fixes security vulnerability
2016-09-23 23:57:12
Updated apache packages fix security vulnerability
2016-07-27 00:16:28
Updated perl-CGI-Emulate-PSGI packages fix security vulnerability
2017-05-26 09:54:58
debian
debian
[SECURITY] [DLA 553-1] apache2 security update
2016-07-20 11:30:29
[SECURITY] [DSA 3623-1] apache2 security update
2016-07-20 08:39:47
[SECURITY] [DSA 3623-1] apache2 security update
2016-07-20 08:39:47
osv
osv
CVE-2016-5387
2016-07-19 02:00:00
HTTP Proxy header vulnerability
2022-04-07 13:59:22
Improper input validation in net/http and net/http/cgi
2022-08-09 17:05:15
typo3
typo3
Environment Variable Injection in extension "AWS SDK for PHP" (aws_sdk_php)
2018-08-09 00:00:00
Environment Variable Injection
2016-07-19 00:00:00
Environment Variable Injection in extension "Amazon AWS S3 FAL driver (CDN)" (aus_driver_amazon_s3)
2018-08-09 00:00:00
gitlab
gitlab
HTTP Proxy header vulnerability
2016-07-18 00:00:00
httpd
httpd
Apache Httpd < 2.4.25 : HTTP_PROXY environment variable "httpoxy" mitigation
2016-07-02 00:00:00
Apache Httpd < 2.2.32 : HTTP_PROXY environment variable "httpoxy" mitigation
2016-07-02 00:00:00
ubuntu
ubuntu
Apache HTTP Server vulnerability
2016-07-18 00:00:00
alpinelinux
alpinelinux
CVE-2016-5387
2016-07-19 02:00:19
archlinux
archlinux
drupal: proxy injection
2016-07-21 00:00:00

0.936 High

EPSS

Percentile

99.1%

JSON
Related for CFOUNDRY:1EE86C629ABCD63B886F991BBE5E0A75
ibm8cert1checkpoint_advisories1threatpost1nessus45openvas43impervablog1fedora12prion4ubuntucve5nvd5oraclelinux5friendsofphp9redhatcve4github1veracode3amazon2f55huawei1cve5debiancve2centos4redhat10cvelist3mageia3debian3osv3typo34gitlab1httpd2ubuntu1alpinelinux1archlinux1