Vulnerability Details : CVE-2016-5388
Apache Tomcat 7.x through 7.0.70 and 8.x through 8.5.4, when the CGI Servlet is enabled, follows RFC 3875 section 4.1.18 and therefore does not protect applications from the presence of untrusted client data in the HTTP_PROXY environment variable, which might allow remote attackers to redirect an application's outbound HTTP traffic to an arbitrary proxy server via a crafted Proxy header in an HTTP request, aka an "httpoxy" issue. NOTE: the vendor states "A mitigation is planned for future releases of Tomcat, tracked as CVE-2016-5388"; in other words, this is not a CVE ID for a vulnerability.
Products affected by CVE-2016-5388
- cpe:2.3:a:hp:system_management_homepage:*:*:*:*:*:*:*:*
- cpe:2.3:o:redhat:enterprise_linux_desktop:6.0:*:*:*:*:*:*:*
- cpe:2.3:o:redhat:enterprise_linux_desktop:7.0:*:*:*:*:*:*:*
- cpe:2.3:o:redhat:enterprise_linux_server:6.0:*:*:*:*:*:*:*
- cpe:2.3:o:redhat:enterprise_linux_server:7.0:*:*:*:*:*:*:*
- cpe:2.3:o:redhat:enterprise_linux_workstation:6.0:*:*:*:*:*:*:*
- cpe:2.3:o:redhat:enterprise_linux_workstation:7.0:*:*:*:*:*:*:*
- cpe:2.3:o:redhat:enterprise_linux_hpc_node:6.0:*:*:*:*:*:*:*
- cpe:2.3:o:redhat:enterprise_linux_hpc_node:7.0:*:*:*:*:*:*:*
- cpe:2.3:o:redhat:enterprise_linux_server_aus:7.2:*:*:*:*:*:*:*
- cpe:2.3:o:redhat:enterprise_linux_server_eus:7.2:*:*:*:*:*:*:*
- cpe:2.3:o:redhat:enterprise_linux_hpc_node_eus:7.2:*:*:*:*:*:*:*
- cpe:2.3:o:redhat:enterprise_linux_server_tus:7.2:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:*:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:*:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:*:*:*:*:*:*:*:*
- cpe:2.3:o:oracle:linux:7:*:*:*:*:*:*:*
- cpe:2.3:o:oracle:linux:6:*:*:*:*:*:*:*
Threat overview for CVE-2016-5388
Top countries where our scanners detected CVE-2016-5388
Top open port discovered on systems with this issue
80
IPs affected by CVE-2016-5388 168,843
Threat actors abusing to this issue?
Yes
Find out if you* are
affected by CVE-2016-5388!
*Directly or indirectly through your vendors, service providers and 3rd parties.
Powered by
attack surface intelligence
from SecurityScorecard.
Exploit prediction scoring system (EPSS) score for CVE-2016-5388
75.02%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 99 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2016-5388
| Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
|---|---|---|---|---|---|---|
|
5.1
|
MEDIUM | AV:N/AC:H/Au:N/C:P/I:P/A:P |
4.9
|
6.4
|
NIST | |
|
8.1
|
HIGH | CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H |
2.2
|
5.9
|
NIST |
CWE ids for CVE-2016-5388
-
The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor.Assigned by: nvd@nist.gov (Primary)
References for CVE-2016-5388
-
https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05390722
HPSBMU03691 rev.1 - HPE Insight Control, Multiple Remote VulnerabilitiesThird Party Advisory
-
http://rhn.redhat.com/errata/RHSA-2016-2045.html
RHSA-2016:2045 - Security Advisory - Red Hat Customer PortalThird Party Advisory
-
https://lists.apache.org/thread.html/053d9ce4d579b02203db18545fee5e33f35f2932885459b74d1e4272%40%3Cissues.activemq.apache.org%3E
[jira] [Created] (AMQ-7279) Security Vulnerabilities in Libraries - jackson-databind-2.9.8.jar, tomcat-servlet-api-8.0.53.jar, tomcat-websocket-api-8.0.53.jar, zookeeper-3.4.6.jar, guava-18.0.jar, jet
-
https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05324759
HPSBUX03665 rev.3 - HP-UX Tomcat-based Servlet Engine, Remote Denial of Service (DoS), URL RedirectionThird Party Advisory
-
http://www.oracle.com/technetwork/topics/security/linuxbulletinoct2016-3090545.html
Oracle Linux Bulletin - October 2016Third Party Advisory
-
https://access.redhat.com/errata/RHSA-2016:1635
RHSA-2016:1635 - Security Advisory - Red Hat Customer PortalThird Party Advisory
-
https://lists.apache.org/thread.html/6b414817c2b0bf351138911c8c922ec5dd577ebc0b9a7f42d705752d%40%3Cissues.activemq.apache.org%3E
[jira] [Created] (AMQ-7310) Security Vulnerabilities in Tomcat-websocket-api.jar-Apache Mail Archives
-
http://rhn.redhat.com/errata/RHSA-2016-1624.html
Red Hat Customer PortalThird Party Advisory
-
https://lists.debian.org/debian-lts-announce/2019/08/msg00015.html
[SECURITY] [DLA 1883-1] tomcat8 security update
-
https://access.redhat.com/errata/RHSA-2016:1636
RHSA-2016:1636 - Security Advisory - Red Hat Customer PortalThird Party Advisory
-
https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05320149
HPSBMU03653 rev.1 - HPE System Management Homepage (SMH), Remote Arbitrary Code Execution, Cross-Site Scripting (XSS), Denial of Service (DoS), Unauthorized Disclosure of InformationThird Party Advisory
-
http://lists.opensuse.org/opensuse-updates/2016-09/msg00025.html
openSUSE-SU-2016:2252-1: moderate: Security update for tomcatThird Party Advisory
-
http://www.securitytracker.com/id/1036331
Apache Tomcat CGI Application "Proxy:" Header Processing Flaw Lets Remote Users Redirect the Target CGI Application Requests to an Arbitrary Web Proxy in Certain Cases - SecurityTrackerThird Party Advisory;VDB Entry;Vendor Advisory
-
http://rhn.redhat.com/errata/RHSA-2016-2046.html
RHSA-2016:2046 - Security Advisory - Red Hat Customer PortalThird Party Advisory
-
https://httpoxy.org/
httpoxyThird Party Advisory
-
http://www.securityfocus.com/bid/91818
Apache Tomcat CVE-2016-5388 Security Bypass VulnerabilityThird Party Advisory;VDB Entry
-
https://lists.apache.org/thread.html/r2853582063cfd9e7fbae1e029ae004e6a83482ae9b70a698996353dd%40%3Cusers.tomcat.apache.org%3E
Re: CVE reporting discrepencies-Apache Mail Archives
-
https://lists.apache.org/thread.html/6d3d34adcf3dfc48e36342aa1f18ce3c20bb8e4c458a97508d5bfed1%40%3Cissues.activemq.apache.org%3E
[jira] [Created] (AMQ-7288) Security Vulnerabilities in ActiveMQ dependent libraries.-Apache Mail Archives
-
https://h20566.www2.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpesbhf03770en_us
HPESBHF03770 rev.1 - HPE Comware 7 MSR Routers using PHP, Go, Apache Http Server, and Tomcat, Remote Arbitrary Code ExecutionThird Party Advisory
-
http://www.kb.cert.org/vuls/id/797896
VU#797896 - CGI web servers assign Proxy header values from client requests to internal HTTP_PROXY environment variablesThird Party Advisory;US Government Resource
-
https://lists.apache.org/thread.html/rc6b2147532416cc736e68a32678d3947b7053c3085cf43a9874fd102%40%3Cusers.tomcat.apache.org%3E
CVE reporting discrepencies-Apache Mail Archives
-
https://lists.apache.org/thread.html/rf21b368769ae70de4dee840a3228721ae442f1d51ad8742003aefe39%40%3Cusers.tomcat.apache.org%3E
Re: CVE reporting discrepencies-Apache Mail Archives
-
https://tomcat.apache.org/tomcat-7.0-doc/changelog.html
Apache Tomcat 7 (7.0.96) - ChangelogRelease Notes;Vendor Advisory
-
http://www.oracle.com/technetwork/security-advisory/cpujul2017-3236622.html
Oracle Critical Patch Update - July 2017Patch;Third Party Advisory
-
https://www.apache.org/security/asf-httpoxy-response.txt
Vendor Advisory
Jump to