CVE-2016-5388 log
Source |
|
Severity | Medium |
Remote | Yes |
Type | Proxy injection |
Description | It was discovered that tomcat used the value of the Proxy header from HTTP requests to initialize the HTTP_PROXY environment variable for CGI scripts, which in turn was incorrectly used by certain HTTP client implementations to configure the proxy for outgoing HTTP requests. A remote attacker could possibly use this flaw to redirect HTTP requests performed by a CGI script to an attacker-controlled proxy via a malicious HTTP request. |
Group | Package | Affected | Fixed | Severity | Status | Ticket |
---|---|---|---|---|---|---|
AVG-51 | tomcat6 | 6.0.45-1 | 6.0.47-1 | Medium | Fixed | |
AVG-25 | tomcat8 | 8.0.36-1 | 8.0.37-1 | Medium | Fixed | |
AVG-23 | tomcat7 | 7.0.70-1 | 7.0.72-1 | Medium | Fixed |
Date | Advisory | Group | Package | Severity | Type |
---|---|---|---|---|---|
02 Nov 2016 | ASA-201611-6 | AVG-51 | tomcat6 | Medium | proxy injection |
07 Sep 2016 | ASA-201609-7 | AVG-25 | tomcat8 | Medium | proxy injection |
22 Sep 2016 | ASA-201609-21 | AVG-23 | tomcat7 | Medium | proxy injection |
References |
---|
https://www.apache.org/security/asf-httpoxy-response.txt |