CVE-2016-5388

HIGH

Redhat Enterprise Linux Desktop < 7.5.5.0 - Improper Access Control

Title source: rule
STIX 2.1

Description

Apache Tomcat 7.x through 7.0.70 and 8.x through 8.5.4, when the CGI Servlet is enabled, follows RFC 3875 section 4.1.18 and therefore does not protect applications from the presence of untrusted client data in the HTTP_PROXY environment variable, which might allow remote attackers to redirect an application's outbound HTTP traffic to an arbitrary proxy server via a crafted Proxy header in an HTTP request, aka an "httpoxy" issue. NOTE: the vendor states "A mitigation is planned for future releases of Tomcat, tracked as CVE-2016-5388"; in other words, this is not a CVE ID for a vulnerability.

References (25)

Core 25
Core References
Third Party Advisory vendor-advisory x_refsource_redhat
https://access.redhat.com/errata/RHSA-2016:1635
Third Party Advisory, US Government Resource third-party-advisory x_refsource_cert-vn
http://www.kb.cert.org/vuls/id/797896
Third Party Advisory vendor-advisory x_refsource_redhat
http://rhn.redhat.com/errata/RHSA-2016-2045.html
Third Party Advisory vendor-advisory x_refsource_redhat
http://rhn.redhat.com/errata/RHSA-2016-2046.html
Release Notes, Vendor Advisory x_refsource_confirm
https://tomcat.apache.org/tomcat-7.0-doc/changelog.html
Third Party Advisory, VDB Entry vdb-entry x_refsource_bid
http://www.securityfocus.com/bid/91818
Third Party Advisory vendor-advisory x_refsource_suse
http://lists.opensuse.org/opensuse-updates/2016-09/msg00025.html
Third Party Advisory vendor-advisory x_refsource_redhat
http://rhn.redhat.com/errata/RHSA-2016-1624.html
Vendor Advisory x_refsource_confirm
https://www.apache.org/security/asf-httpoxy-response.txt
Third Party Advisory x_refsource_misc
https://httpoxy.org/
Patch, Third Party Advisory x_refsource_confirm
http://www.oracle.com/technetwork/security-advisory/cpujul2017-3236622.html
Third Party Advisory, VDB Entry, Vendor Advisory vdb-entry x_refsource_sectrack
http://www.securitytracker.com/id/1036331
Third Party Advisory vendor-advisory x_refsource_redhat
https://access.redhat.com/errata/RHSA-2016:1636
Mailing List mailing-list x_refsource_mlist
https://lists.debian.org/debian-lts-announce/2019/08/msg00015.html

Scores

CVSS v3 8.1
EPSS 0.3676
EPSS Percentile 97.2%
Attack Vector NETWORK
CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

Details

CWE
CWE-284
Status published
Products (17)
apache/tomcat 6.0 - 6.0.45
hp/system_management_homepage < 7.5.5.0
oracle/linux 6
oracle/linux 7
org.apache.tomcat/tomcat-catalina 7.0.0 - 7.0.72Maven
redhat/enterprise_linux_desktop 7.0
redhat/enterprise_linux_desktop 6.0
redhat/enterprise_linux_hpc_node 7.0
redhat/enterprise_linux_hpc_node 6.0
redhat/enterprise_linux_hpc_node_eus 7.2
... and 7 more
Published Jul 19, 2016
Tracked Since Feb 18, 2026