CVE-2016-5386

HIGH

Fedora < 1.6.3 - Improper Access Control

Title source: rule
STIX 2.1

Description

The net/http package in Go through 1.6 does not attempt to address RFC 3875 section 4.1.18 namespace conflicts and therefore does not protect CGI applications from the presence of untrusted client data in the HTTP_PROXY environment variable, which might allow remote attackers to redirect a CGI application's outbound HTTP traffic to an arbitrary proxy server via a crafted Proxy header in an HTTP request, aka an "httpoxy" issue.

References (9)

Core 9
Core References
Third Party Advisory, US Government Resource third-party-advisory x_refsource_cert-vn
http://www.kb.cert.org/vuls/id/797896
Issue Tracking, Third Party Advisory x_refsource_confirm
https://bugzilla.redhat.com/show_bug.cgi?id=1353798
Third Party Advisory vendor-advisory x_refsource_redhat
http://rhn.redhat.com/errata/RHSA-2016-1538.html
Third Party Advisory x_refsource_misc
https://httpoxy.org/
Patch, Third Party Advisory x_refsource_confirm
http://www.oracle.com/technetwork/security-advisory/cpujul2017-3236622.html

Scores

CVSS v3 8.1
EPSS 0.4590
EPSS Percentile 97.7%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

Details

CWE
CWE-284
Status published
Products (8)
fedoraproject/fedora 23
fedoraproject/fedora 24
golang/go 1.7 rc1
golang/go 1.0 - 1.6.3
oracle/linux 7
redhat/enterprise_linux_server 7.0
redhat/enterprise_linux_server_aus 7.2
redhat/enterprise_linux_server_eus 7.2
Published Jul 19, 2016
Tracked Since Feb 18, 2026