CVE-2016-5387

high Apache
CVSS v3 Base Score
8.1
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score
60.3%
Exploitation probability in 30 days
Top 2% most likely to be exploited
Attack Characteristics
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
None
Confidentiality
High
Integrity
High
Availability
High
Published: July 19, 2016 (3587 days ago)
Last Modified: May 6, 2026
Vendor: Apache
Source: NVD

Description

The Apache HTTP Server through 2.4.23 follows RFC 3875 section 4.1.18 and therefore does not protect applications from the presence of untrusted client data in the HTTP_PROXY environment variable, which might allow remote attackers to redirect an application's outbound HTTP traffic to an arbitrary proxy server via a crafted Proxy header in an HTTP request, aka an "httpoxy" issue. NOTE: the vendor states "This mitigation has been assigned the identifier CVE-2016-5387"; in other words, this is not a CVE ID for a vulnerability.

CWE

NVD-CWE-noinfo

Affected Products

apache http serverhp system management homepageoracle communications user data repositoryoracle enterprise manager ops centeroracle linuxoracle solarisfedoraproject fedoraredhat jboss web serverredhat jboss enterprise web serverredhat jboss core services

References

🔗 lists.opensuse.org 🔗 rhn.redhat.com 🔗 rhn.redhat.com 🔗 rhn.redhat.com 🔗 rhn.redhat.com