It was discovered that httpd used the value of the Proxy header from HTTP requests to initialize the HTTP_PROXY environment variable for CGI scripts, which in turn was incorrectly used by certain HTTP client implementations to configure the proxy for outgoing HTTP requests. A remote attacker could possibly use this flaw to redirect HTTP requests performed by a CGI script to an attacker-controlled proxy via a malicious HTTP request.

References

access.redhat.com/security/vulnerabilities/httpoxy https://httpoxy.org/ https://www.apache.org/security/asf-httpoxy-response.txt

bugzilla.redhat.com/show_bug.cgi?id=1353755

debian 4

openvas 30

nessus 43

fedora 4

veracode 1

debiancve 1

ubuntucve 3

osv 3

amazon 1

centos 2

ibm 12

redhat 8

ubuntu 1

httpd 2

alpinelinux 1

f5 2

mageia 2

prion 3

oraclelinux 2

cvelist 2

cve 3

nvd 3

redhatcve 1

cloudfoundry 1

altlinux 3

slackware 1

freebsd 1

threatpost 1

cert 1

checkpoint_advisories 1

gentoo 1

impervablog 1

apple 6

oracle 2

debian

[SECURITY] [DLA 553-1] apache2 security update

2016-07-20 11:30:29

[SECURITY] [DSA 3623-1] apache2 security update

2016-07-20 08:39:47

[SECURITY] [DSA 3623-1] apache2 security update

2016-07-20 08:39:47

openvas

Fedora Update for perl-CGI-Emulate-PSGI FEDORA-2016-a29c65b00f

2016-08-09 00:00:00

Apache HTTP Server Man-in-the-Middle Attack Vulnerability (Jul 2016) - Windows

2016-07-26 00:00:00

RedHat Update for httpd RHSA-2016:1422-01

2016-07-19 00:00:00

nessus

Scientific Linux Security Update : httpd on SL5.x, SL6.x i386/x86_64 (20160718) (httpoxy)

2016-07-19 00:00:00

Fedora 24 : httpd (2016-9fd9bfab9e) (httpoxy)

2016-07-25 00:00:00

Oracle Linux 5 / 6 : httpd (ELSA-2016-1421) (httpoxy)

2016-07-19 00:00:00

fedora

[SECURITY] Fedora 23 Update: httpd-2.4.23-4.fc23

2016-07-27 20:56:05

[SECURITY] Fedora 24 Update: httpd-2.4.23-4.fc24

2016-07-22 16:00:58

[SECURITY] Fedora 24 Update: perl-CGI-Emulate-PSGI-0.22-1.fc24

2016-08-08 20:37:39

veracode

Open Redirection

2019-01-15 09:12:18

debiancve

CVE-2016-5387

2016-07-19 02:00:19

ubuntucve

CVE-2016-5387

2016-07-18 00:00:00

CVE-2016-4694

2016-09-25 00:00:00

CVE-2016-1000104

2019-12-03 00:00:00

osv

CVE-2016-5387

2016-07-19 02:00:00

wordpress - security update

2016-07-29 00:00:00

apache2-2.4.49-1.1 on GA media

2024-06-15 00:00:00

amazon

Important: httpd24, httpd

2016-07-20 18:00:00

centos

httpd, mod_ssl security update

2016-07-18 15:57:06

httpd, mod_ldap, mod_proxy_html, mod_session, mod_ssl security update

2016-07-18 16:26:29

ibm

Security Bulletin: A vulnerability in the Apache HTTP Server affects PowerKVM (CVE-2016-5387)

2018-06-18 01:32:51

Security Bulletin: Redirect HTTP traffic vulnerability may affect IBM HTTP Server (CVE-2016-5387)

2022-09-08 00:09:56

Security Bulletin: A security vulnerability has been identified in WebSphere Application Server shipped with IBM Tivoli Security Policy Manager (CVE-2016-5387)

2018-06-16 21:48:41

redhat

(RHSA-2016:1421) Important: httpd security update

2016-07-18 00:00:00

(RHSA-2016:1851) Important: Red Hat JBoss Core Services Apache HTTP 2.4.6 Service Pack 1 security update

2016-09-12 16:50:10

(RHSA-2016:1422) Important: httpd security and bug fix update

2016-07-18 14:13:23

ubuntu

Apache HTTP Server vulnerability

2016-07-18 00:00:00

httpd

Apache Httpd < 2.2.32 : HTTP_PROXY environment variable "httpoxy" mitigation

2016-07-02 00:00:00

Apache Httpd < 2.4.25 : HTTP_PROXY environment variable "httpoxy" mitigation

2016-07-02 00:00:00

alpinelinux

CVE-2016-5387

2016-07-19 02:00:19

SOL80513384 - Apache HTTPD vulnerability CVE-2016-5387

2016-08-02 00:00:00

Apache HTTPD vulnerability CVE-2016-5387

2016-08-02 21:36:00

mageia

Updated perl-CGI-Emulate-PSGI packages fix security vulnerability

2017-05-26 09:54:58

Updated apache packages fix security vulnerability

2016-07-27 00:16:28

prion

Design/Logic Flaw

2016-07-19 02:00:00

Design/Logic Flaw

2016-10-06 14:59:00

Design/Logic Flaw

2016-09-25 10:59:00

oraclelinux

httpd security update

2016-07-18 00:00:00

httpd security and bug fix update

2016-07-18 00:00:00

cvelist

CVE-2016-5387

2016-07-19 01:00:00

CVE-2016-4694

2016-09-25 10:00:00

cve

CVE-2016-5387

2016-07-19 02:00:19

CVE-2016-4694

2016-09-25 10:59:03

CVE-2016-1000102

2016-10-06 14:59:17

nvd

CVE-2016-5387

2016-07-19 02:00:19

CVE-2016-1000102

2016-10-06 14:59:17

CVE-2016-4694

2016-09-25 10:59:03

redhatcve

CVE-2016-1000104

2016-07-18 14:49:14

cloudfoundry

Multiple CVEs: httpoxy | Cloud Foundry

2016-12-21 00:00:00

altlinux

Security fix for the ALT Linux 8 package apache2 version 1:2.4.25-alt1

2017-05-18 00:00:00

Security fix for the ALT Linux 9 package apache2 version 1:2.4.25-alt1

2017-05-18 00:00:00

Security fix for the ALT Linux 10 package apache2 version 1:2.4.25-alt1

2017-05-18 00:00:00

slackware

[slackware-security] httpd

2016-12-24 01:35:08

freebsd

Apache httpd -- several vulnerabilities

2016-12-20 00:00:00

threatpost

CGI Script Vulnerability 'Httpoxy' Allows Man-in-the-Middle Attack

2016-07-18 18:00:46

cert

CGI web servers assign Proxy header values from client requests to internal HTTP_PROXY environment variables

2016-07-18 00:00:00

checkpoint_advisories

CGI Namespace Conflict Man-In-The-Middle (httpoxy; CVE-2016-1000109; CVE-2016-1000110; CVE-2016-5385; CVE-2016-5386; CVE-2016-5387; CVE-2016-5388)

2016-07-19 00:00:00

gentoo

Apache: Multiple vulnerabilities

2017-01-15 00:00:00

impervablog

Python and Go Top the Chart of 2019’s Most Popular Hacking Tools

2020-05-27 09:22:21

apple

About the security content of macOS High Sierra 10.13

2017-09-25 00:00:00

About the security content of macOS High Sierra 10.13 - Apple Support

2020-02-06 07:51:09

About the security content of macOS Sierra 10.12.4, Security Update 2017-001 El Capitan, and Security Update 2017-001 Yosemite - Apple Support

2017-08-29 02:52:03

oracle

Oracle Critical Patch Update - January 2018

2018-01-16 00:00:00

Oracle Critical Patch Update Advisory - July 2017

2018-03-20 00:00:00

Solutions

Vulnerabilities intelligence
Perimeter control tool
Linux scanner
Windows scanner
Developers SDK
Security Intelligence feeds

Database

Vulnerabilities
Exploits
Security News
BugBounty
Wild Exploited
Top Vulnerabilities
CVE Feed

Resources

Statics & Sources
Plugins
API docs
FAQ
Blog
Glossary

Company

About
Contacts
Pricing
EULA
Privacy Policy
Submission Policy
OpenSource

@2024 Vulners Inc

EPSS

0.2

Percentile

96.4%

JSON

Related for RH:CVE-2016-5387