CVE-2016-5387

The Apache HTTP Server through 2.4.23 follows RFC 3875 section 4.1.18 and therefore does not protect applications from the presence of untrusted client data in the HTTP_PROXY environment variable, which might allow remote attackers to redirect an applications outbound HTTP traffic to an arbitrary proxy server via a crafted Proxy header in an HTTP request, aka an httpoxy issue. NOTE: the vendor states This mitigation has been assigned the identifier CVE-2016-5387; in other words, this is not a CVE ID for a vulnerability.

Affected Software

Name	Vendor	Start Version	End Version
Http_server	Apache	2.2.0 (including)	2.2.31 (including)
Http_server	Apache	2.4.1 (including)	2.4.23 (including)
JBoss Core Services on RHEL 6	RedHat	jbcs-httpd24-httpd-0:2.4.6-77.SP1.jbcs.el6	*
JBoss Core Services on RHEL 7	RedHat	jbcs-httpd24-httpd-0:2.4.6-77.SP1.jbcs.el7	*
Red Hat Enterprise Linux 5	RedHat	httpd-0:2.2.3-92.el5_11	*
Red Hat Enterprise Linux 6	RedHat	httpd-0:2.2.15-54.el6_8	*
Red Hat Enterprise Linux 7	RedHat	httpd-0:2.4.6-40.el7_2.4	*
Red Hat JBoss Enterprise Web Server 2 for RHEL 6	RedHat	httpd-0:2.2.26-54.ep6.el6	*
Red Hat JBoss Enterprise Web Server 2 for RHEL 6	RedHat	jbcs-httpd24-0:1-3.jbcs.el6	*
Red Hat JBoss Enterprise Web Server 2 for RHEL 6	RedHat	jbcs-httpd24-openssl-1:1.0.2h-4.jbcs.el6	*
Red Hat JBoss Enterprise Web Server 2 for RHEL 6	RedHat	mod_cluster-0:1.2.13-1.Final_redhat_1.1.ep6.el6	*
Red Hat JBoss Enterprise Web Server 2 for RHEL 6	RedHat	mod_cluster-native-0:1.2.13-3.Final_redhat_2.ep6.el6	*
Red Hat JBoss Enterprise Web Server 2 for RHEL 6	RedHat	mod_jk-0:1.2.41-2.redhat_3.ep6.el6	*
Red Hat JBoss Enterprise Web Server 2 for RHEL 6	RedHat	tomcat-native-0:1.1.34-5.redhat_1.ep6.el6	*
Red Hat JBoss Enterprise Web Server 2 for RHEL 7	RedHat	httpd22-0:2.2.26-56.ep6.el7	*
Red Hat JBoss Enterprise Web Server 2 for RHEL 7	RedHat	jbcs-httpd24-0:1-3.jbcs.el7	*
Red Hat JBoss Enterprise Web Server 2 for RHEL 7	RedHat	jbcs-httpd24-openssl-1:1.0.2h-4.jbcs.el7	*
Red Hat JBoss Enterprise Web Server 2 for RHEL 7	RedHat	mod_cluster-0:1.2.13-1.Final_redhat_1.1.ep6.el7	*
Red Hat JBoss Enterprise Web Server 2 for RHEL 7	RedHat	mod_cluster-native-0:1.2.13-3.Final_redhat_2.ep6.el7	*
Red Hat JBoss Enterprise Web Server 2 for RHEL 7	RedHat	mod_jk-0:1.2.41-2.redhat_3.ep6.el7	*
Red Hat JBoss Enterprise Web Server 2 for RHEL 7	RedHat	tomcat-native-0:1.1.34-5.redhat_1.ep6.el7	*
Red Hat JBoss Web Server 2.1	RedHat		*
Red Hat JBoss Web Server 3.0	RedHat		*
Red Hat JBoss Web Server 3 for RHEL 6	RedHat	httpd24-0:2.4.6-62.ep7.el6	*
Red Hat JBoss Web Server 3 for RHEL 6	RedHat	tomcat7-0:7.0.59-51_patch_01.ep7.el6	*
Red Hat JBoss Web Server 3 for RHEL 6	RedHat	tomcat8-0:8.0.18-62_patch_01.ep7.el6	*
Red Hat JBoss Web Server 3 for RHEL 7	RedHat	httpd24-0:2.4.6-62.ep7.el7	*
Red Hat JBoss Web Server 3 for RHEL 7	RedHat	tomcat7-0:7.0.59-51_patch_01.ep7.el7	*
Red Hat JBoss Web Server 3 for RHEL 7	RedHat	tomcat8-0:8.0.18-62_patch_01.ep7.el7	*
Red Hat Software Collections for Red Hat Enterprise Linux 6	RedHat	httpd24-httpd-0:2.4.18-11.el6	*
Red Hat Software Collections for Red Hat Enterprise Linux 6.6 EUS	RedHat	httpd24-httpd-0:2.4.18-11.el6	*
Red Hat Software Collections for Red Hat Enterprise Linux 6.7 EUS	RedHat	httpd24-httpd-0:2.4.18-11.el6	*
Red Hat Software Collections for Red Hat Enterprise Linux 7	RedHat	httpd24-httpd-0:2.4.18-11.el7	*
Red Hat Software Collections for Red Hat Enterprise Linux 7.1 EUS	RedHat	httpd24-httpd-0:2.4.18-11.el7	*
Red Hat Software Collections for Red Hat Enterprise Linux 7.2 EUS	RedHat	httpd24-httpd-0:2.4.18-11.el7	*
Text-Only JBCS	RedHat		*
Apache2	Ubuntu	devel	*
Apache2	Ubuntu	esm-infra-legacy/trusty	*
Apache2	Ubuntu	esm-infra/xenial	*
Apache2	Ubuntu	precise	*
Apache2	Ubuntu	trusty	*
Apache2	Ubuntu	trusty/esm	*
Apache2	Ubuntu	wily	*
Apache2	Ubuntu	xenial	*

NVD	https://nvd.nist.gov/vuln/detail/CVE-2016-5387
CWE	https://cwe.mitre.org/data/definitions/.html

Affected Software

References