It was discovered that tomcat used the value of the Proxy header from HTTP requests to initialize the HTTP_PROXY environment variable for CGI scripts, which in turn was incorrectly used by certain HTTP client implementations to configure the proxy for outgoing HTTP requests. A remote attacker could possibly use this flaw to redirect HTTP requests performed by a CGI script to an attacker-controlled proxy via a malicious HTTP request.

References

bugzilla.redhat.com/show_bug.cgi?id=1353809

archlinux 3

cve 2

openvas 15

f5 2

mageia 1

amazon 1

ibm 11

nessus 23

prion 2

github 1

osv 3

ubuntucve 1

debiancve 1

redhat 4

veracode 1

ubuntu 3

debian 1

centos 2

oraclelinux 2

threatpost 1

checkpoint_advisories 1

cert 1

fedora 3

impervablog 1

suse 2

oracle 1

archlinux

[ASA-201609-21] tomcat7: proxy injection

2016-09-22 00:00:00

[ASA-201609-7] tomcat8: proxy injection

2016-09-10 00:00:00

[ASA-201611-6] tomcat6: proxy injection

2016-11-02 00:00:00

cve

CVE-2016-5388

2016-07-19 02:00:00

CVE-2016-1000106

2016-10-06 14:59:00

openvas

Amazon Linux: Security Advisory (ALAS-2016-722)

2016-10-26 00:00:00

Apache Tomcat 'CGI Servlet' Man-in-the-Middle Vulnerability

2016-08-02 00:00:00

Debian LTS: Security Advisory for tomcat8 (DLA-1883-1)

2019-08-14 00:00:00

K51663510 : Apache Tomcat vulnerability CVE-2016-5388

2016-07-26 00:00:00

SOL51663510 - Apache Tomcat vulnerability CVE-2016-5388

2016-07-26 00:00:00

mageia

Updated tomcat packages fix security vulnerability

2016-09-21 23:38:22

amazon

Medium: tomcat6, tomcat7, tomcat8

2016-07-20 18:00:00

ibm

Security Bulletin: IBM WebSphere Cast Iron Solution is affected by Apache Tomcat vulnerability (CVE-2016-5388)

2019-11-18 13:57:34

Security Bulletin: A security vulnerability has been identified in IBM Cognos Business Intelligence shipped with IBM Cognos Planning (CVE-2016-5388).

2018-06-25 05:54:54

Security Bulletin: Vulnerabilities CVE-2016-5387 and CVE-2016-5388 in IBM i HTTP Server

2019-12-18 14:26:38

nessus

Amazon Linux AMI : tomcat6 / tomcat7,tomcat8 (ALAS-2016-722) (httpoxy)

2016-07-21 00:00:00

openSUSE Security Update : tomcat (openSUSE-2016-1056) (httpoxy)

2016-09-08 00:00:00

Ubuntu 16.04 ESM : Apache Tomcat 7 vulnerabilities (USN-4791-1)

2023-10-20 00:00:00

prion

Design/Logic Flaw

2016-07-19 02:00:00

Design/Logic Flaw

2016-10-06 14:59:00

github

Improper Access Control in Apache Tomcat

2022-05-13 01:23:38

osv

Improper Access Control in Apache Tomcat

2022-05-13 01:23:38

tomcat7 vulnerabilities

2021-03-15 21:11:25

tomcat8 - security update

2019-08-13 00:00:00

ubuntucve

CVE-2016-5388

2016-07-18 00:00:00

debiancve

CVE-2016-5388

2016-07-19 02:00:00

redhat

(RHSA-2016:1636) Important: Red Hat JBoss Web Server 3.0.3 Service Pack 1 security update

2016-07-22 06:07:30

(RHSA-2016:1635) Important: Red Hat JBoss Web Server 3.0.3 Service Pack 1 security update

2016-07-22 05:29:50

(RHSA-2016:2046) Important: tomcat security update

2016-10-10 18:29:51

veracode

Httpoxy Vulnerability Through CGI Servlet

2017-04-04 04:22:07

ubuntu

Apache Tomcat 7 vulnerabilities

2021-03-15 00:00:00

Tomcat vulnerabilities

2017-01-23 00:00:00

Tomcat regression

2017-02-02 00:00:00

debian

[SECURITY] [DLA 1883-1] tomcat8 security update

2019-08-13 19:30:16

centos

tomcat security update

2016-10-11 18:36:52

tomcat6 security update

2016-10-11 18:36:02

oraclelinux

tomcat security update

2016-10-10 00:00:00

tomcat6 security and bug fix update

2016-10-10 00:00:00

threatpost

CGI Script Vulnerability 'Httpoxy' Allows Man-in-the-Middle Attack

2016-07-18 18:00:46

checkpoint_advisories

CGI Namespace Conflict Man-In-The-Middle (httpoxy; CVE-2016-1000109; CVE-2016-1000110; CVE-2016-5385; CVE-2016-5386; CVE-2016-5387; CVE-2016-5388)

2016-07-19 00:00:00

cert

CGI web servers assign Proxy header values from client requests to internal HTTP_PROXY environment variables

2016-07-18 00:00:00

fedora

[SECURITY] Fedora 24 Update: tomcat-8.0.38-1.fc24

2016-11-12 23:56:29

[SECURITY] Fedora 23 Update: tomcat-8.0.38-1.fc23

2016-11-13 02:21:02

[SECURITY] Fedora 25 Update: tomcat-8.0.38-1.fc25

2016-11-19 21:26:18

impervablog

Python and Go Top the Chart of 2019’s Most Popular Hacking Tools

2020-05-27 09:22:21

suse

Security update for tomcat6 (important)

2017-06-21 12:10:05

Security update for tomcat (important)

2017-06-23 15:09:55

oracle

Oracle Critical Patch Update Advisory - July 2017

2018-03-20 00:00:00

Products

Security Intelligence
Non-intrusive assessment
Developers SDK
Windows scanner
Linux scanner
Perimeter control tool
MSSP

Database

Vulnerabilities
Exploits
IOC
Security News
BugBounty
Popular
Wild Exploited
Top Vulnerabilities

Tools

Linux Security Scanner
API integration
Subscriptions
Plugins
Manual Audit

Learn More

Stats
API
Docs
Api-keys
License
Pricing
Glossary
FAQ

Company

Blog
Contacts
About Us
OpenSource
EULA
Brand Guideline
Privacy Policy

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply. All product names, logos, and brands are property of their respective owners. All company, product and service names used in this website are for identification purposes only. Use of these names, logos, and brands does not imply endorsement.If you are an owner of some content and want it to be removed, please contact us. Using Vulners services you are accepting Vulners services end-user license agreement

@2024 Vulners Inc

JSON

Related for RH:CVE-2016-5388