CVE-2016-1000109
MEDIUMHHVM < 3.9.6, 3.10.0-3.12.4, 3.13.0-3.14.2 - HTTP Proxy Header Injection via HTTP_PROXY Environment Variable
Title source: llmDescription
HHVM does not attempt to address RFC 3875 section 4.1.18 namespace conflicts and therefore does not protect CGI applications from the presence of untrusted client data in the HTTP_PROXY environment variable, which might allow remote attackers to redirect a CGI application's outbound HTTP traffic to an arbitrary proxy server via a crafted Proxy header in an HTTP request, aka an "httpoxy" issue. This issue affects HHVM versions prior to 3.9.6, all versions between 3.10.0 and 3.12.4 (inclusive), and all versions between 3.13.0 and 3.14.2 (inclusive).
References (3)
Core 3
Core References
Exploit, Mitigation, Third Party Advisory x_refsource_misc
https://httpoxy.org/
Patch, Third Party Advisory x_refsource_confirm
https://github.com/facebook/hhvm/commit/423b4b719afd5ef4e6e19d8447fbf7b6bc0d0a25
Third Party Advisory x_refsource_confirm
https://www.facebook.com/security/advisories/cve-2016-1000109
Scores
CVSS v3
5.3
EPSS
0.0495
EPSS Percentile
91.0%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Details
CWE
CWE-665
Status
published
Products (1)
facebook/hhvm
< 3.9.6
Published
Feb 19, 2020
Tracked Since
Feb 18, 2026