CVE-2016-5388 log
| Source |
|
| Severity | Medium |
| Remote | Yes |
| Type | Proxy injection |
| Description | It was discovered that tomcat used the value of the Proxy header from HTTP requests to initialize the HTTP_PROXY environment variable for CGI scripts, which in turn was incorrectly used by certain HTTP client implementations to configure the proxy for outgoing HTTP requests. A remote attacker could possibly use this flaw to redirect HTTP requests performed by a CGI script to an attacker-controlled proxy via a malicious HTTP request. |
| Group | Package | Affected | Fixed | Severity | Status | Ticket |
|---|---|---|---|---|---|---|
| AVG-51 | tomcat6 | 6.0.45-1 | 6.0.47-1 | Medium | Fixed | |
| AVG-25 | tomcat8 | 8.0.36-1 | 8.0.37-1 | Medium | Fixed | |
| AVG-23 | tomcat7 | 7.0.70-1 | 7.0.72-1 | Medium | Fixed |
| Date | Advisory | Group | Package | Severity | Type |
|---|---|---|---|---|---|
| 02 Nov 2016 | ASA-201611-6 | AVG-51 | tomcat6 | Medium | proxy injection |
| 07 Sep 2016 | ASA-201609-7 | AVG-25 | tomcat8 | Medium | proxy injection |
| 22 Sep 2016 | ASA-201609-21 | AVG-23 | tomcat7 | Medium | proxy injection |
| References |
|---|
https://www.apache.org/security/asf-httpoxy-response.txt |