Vulnerability Details : CVE-2016-5386
The net/http package in Go through 1.6 does not attempt to address RFC 3875 section 4.1.18 namespace conflicts and therefore does not protect CGI applications from the presence of untrusted client data in the HTTP_PROXY environment variable, which might allow remote attackers to redirect a CGI application's outbound HTTP traffic to an arbitrary proxy server via a crafted Proxy header in an HTTP request, aka an "httpoxy" issue.
Vulnerability category: BypassGain privilege
Exploit prediction scoring system (EPSS) score for CVE-2016-5386
Probability of exploitation activity in the next 30 days: 23.61%
Percentile, the proportion of vulnerabilities that are scored at or less: ~ 96 % EPSS Score History EPSS FAQ
CVSS scores for CVE-2016-5386
| Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source |
|---|---|---|---|---|---|
|
6.8
|
MEDIUM | AV:N/AC:M/Au:N/C:P/I:P/A:P |
8.6
|
6.4
|
NIST |
|
8.1
|
HIGH | CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H |
2.2
|
5.9
|
NIST |
CWE ids for CVE-2016-5386
-
The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor.Assigned by: nvd@nist.gov (Primary)
References for CVE-2016-5386
-
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/OR52UXGM6RKSCWF3KQMVZGVZVJ3WEESJ/
[SECURITY] Fedora 24 Update: golang-1.6.3-1.fc24 - package-announce - Fedora Mailing-ListsThird Party Advisory
-
https://httpoxy.org/
httpoxyThird Party Advisory
-
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/7WGHKKCFP4PLVSWQKCM3FJJPEWB5ZNTU/
[SECURITY] Fedora 23 Update: golang-1.5.4-2.fc23 - package-announce - Fedora Mailing-ListsThird Party Advisory
-
https://h20566.www2.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpesbhf03770en_us
HPESBHF03770 rev.1 - HPE Comware 7 MSR Routers using PHP, Go, Apache Http Server, and Tomcat, Remote Arbitrary Code ExecutionThird Party Advisory
-
http://www.kb.cert.org/vuls/id/797896
VU#797896 - CGI web servers assign Proxy header values from client requests to internal HTTP_PROXY environment variablesThird Party Advisory;US Government Resource
-
http://rhn.redhat.com/errata/RHSA-2016-1538.html
RHSA-2016:1538 - Security Advisory - Red Hat Customer PortalThird Party Advisory
-
https://bugzilla.redhat.com/show_bug.cgi?id=1353798
1353798 – (CVE-2016-5386) CVE-2016-5386 Go: sets environmental variable based on user supplied Proxy request headerIssue Tracking;Third Party Advisory
-
http://www.oracle.com/technetwork/security-advisory/cpujul2017-3236622.html
Oracle Critical Patch Update - July 2017Patch;Third Party Advisory
-
http://www.oracle.com/technetwork/topics/security/linuxbulletinjul2016-3090544.html
Oracle Linux Bulletin - July 2016Third Party Advisory
Products affected by CVE-2016-5386
- cpe:2.3:o:redhat:enterprise_linux_server:7.0:*:*:*:*:*:*:*
- cpe:2.3:o:redhat:enterprise_linux_server_aus:7.2:*:*:*:*:*:*:*
- cpe:2.3:o:redhat:enterprise_linux_server_eus:7.2:*:*:*:*:*:*:*
- cpe:2.3:o:oracle:linux:7:*:*:*:*:*:*:*
- cpe:2.3:o:fedoraproject:fedora:24:*:*:*:*:*:*:*
- cpe:2.3:o:fedoraproject:fedora:23:*:*:*:*:*:*:*
- cpe:2.3:a:golang:go:*:*:*:*:*:*:*:*
- cpe:2.3:a:golang:go:1.7:rc1:*:*:*:*:*:*