Linux Distros Unpatched Vulnerability : CVE-2016-5386

🗓️ 03 Sep 2025 00:00:00Reported by TenableType

Go net/http up to 1.6 is vulnerable to httpoxy, enabling CGI traffic redirection via HTTP_PROXY.

Reporter	Title	Published	Views	Family All 74
IBM Security Bulletins	Security Bulletin: Vulnerabilities in Apache Tomcat affect the IBM FlashSystem models 840 and 900	18 Feb 202301:45	–	ibm
IBM Security Bulletins	Security Bulletin: Vulnerabilities in Apache Tomcat affect the IBM FlashSystem model V840	18 Jun 201800:32	–	ibm
IBM Security Bulletins	Security Bulletin: IBM Concert Software is vulnerable to multiple issues	22 Aug 202417:47	–	ibm
IBM Security Bulletins	Security Bulletin: Multiple vulnerabilities in Apache Tomcat affect SAN Volume Controller, Storwize family and FlashSystem V9000 products	29 Mar 202301:48	–	ibm
ATTACKERKB	CVE-2016-1000101	6 Oct 201614:59	–	attackerkb
Amazon	Medium: golang	17 Aug 201600:00	–	amazon
Tenable Nessus	Amazon Linux AMI : golang (ALAS-2016-731) (httpoxy)	18 Aug 201600:00	–	nessus
Tenable Nessus	CentOS 7 : golang (CESA-2016:1538) (httpoxy)	3 Aug 201600:00	–	nessus
Tenable Nessus	Fedora 23 : golang (2016-340e361b90) (httpoxy)	29 Jul 201600:00	–	nessus
Tenable Nessus	Fedora 24 : golang (2016-ea5e284d34) (httpoxy)	29 Jul 201600:00	–	nessus

Source	Link
ubuntu	www.ubuntu.com/security/CVE-2016-5386
cve	www.cve.mitre.org/cgi-bin/cvename.cgi

#%NASL_MIN_LEVEL 80900
##
# (C) Tenable, Inc.
##

include('compat.inc');

if (description)
{
  script_id(261016);
  script_version("1.1");
  script_set_attribute(attribute:"plugin_modification_date", value:"2025/09/03");

  script_cve_id("CVE-2016-5386");

  script_name(english:"Linux Distros Unpatched Vulnerability : CVE-2016-5386");

  script_set_attribute(attribute:"synopsis", value:
"The Linux/Unix host has one or more packages installed with a vulnerability that the vendor indicates will not be
patched.");
  script_set_attribute(attribute:"description", value:
"The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied
patch available.

  - The net/http package in Go through 1.6 does not attempt to address RFC 3875 section 4.1.18 namespace
    conflicts and therefore does not protect CGI applications from the presence of untrusted client data in
    the HTTP_PROXY environment variable, which might allow remote attackers to redirect a CGI application's
    outbound HTTP traffic to an arbitrary proxy server via a crafted Proxy header in an HTTP request, aka an
    httpoxy issue. (CVE-2016-5386)

Note that Nessus relies on the presence of the package as reported by the vendor.");
  script_set_attribute(attribute:"see_also", value:"https://ubuntu.com/security/CVE-2016-5386");
  script_set_attribute(attribute:"solution", value:
"There is no known solution at this time.");
  script_set_attribute(attribute:"agent", value:"unix");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P");
  script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2016-5386");

  script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"false");
  script_set_attribute(attribute:"vendor_unpatched", value:"true");

  script_set_attribute(attribute:"vuln_publication_date", value:"2016/07/18");
  script_set_attribute(attribute:"plugin_publication_date", value:"2025/09/03");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:16.04:-:lts");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:golang-1.6");
  script_set_attribute(attribute:"generated_plugin", value:"current");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Misc.");

  script_copyright(english:"This script is Copyright (C) 2025 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("ssh_get_info2.nasl", "set_linux_os_id.nasl");
  script_require_keys("Host/cpu", "Host/local_checks_enabled", "global_settings/vendor_unpatched", "Host/OS/identifier");
  script_require_ports("Host/OS/Ubuntu Linux-16.04");

  exit(0);
}

if (!get_kb_item("global_settings/vendor_unpatched")) exit(0, "Unpatched Vulnerabilities Detection not active.");
if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
if (empty_or_null(get_one_kb_item("Host/Debian/dpkg-l"))) audit(AUDIT_PACKAGE_LIST_MISSING);

include('linux_unpatched.inc');

var distro_constraints_array = {
  "Ubuntu Linux-16.04": {
    "package_manager": "dpkg-l",
    "constraints": [
      {
        "release": "16.04",
        "pkgs": [
          {"reference": "golang-1.6"},
          {"reference": "golang-1.6-doc"},
          {"reference": "golang-1.6-go"},
          {"reference": "golang-1.6-src"}
        ]
      }
    ]
  }
};

var distro_constraints_values = linux_unpatched::get_distro_constraints(distro_constraints_arr:distro_constraints_array);
if (empty_or_null(distro_constraints_values)) audit(AUDIT_HOST_NOT, 'affected');
var report = linux_unpatched::check_unpatched_constraints(distro_constraints_values:distro_constraints_values);

if (!empty_or_null(report))
{
  security_report_v4(
      port       : 0,
      severity   : SECURITY_WARNING,
      extra      : report
  );
  exit(0);
}
else
{
  audit(AUDIT_HOST_NOT, 'affected');
}

03 Sep 2025 00:00Current

6.8Medium risk

Vulners AI Score6.8

CVSS 26.8

CVSS 3.18.1

EPSS0.45904