K92930514: GO vulnerability CVE-2016-5386

Security Advisory Description The net/http package in Go through 1.6 does not attempt to address RFC 3875 section 4.1.18 namespace conflicts and therefore does not protect CGI applications from the presence of untrusted client data in the HTTPPROXY environment variable, which might allow remote...

K51663510: Apache Tomcat vulnerability CVE-2016-5388

Security Advisory Description Apache Tomcat through 8.5.4, when the CGI Servlet is enabled, follows RFC 3875 section 4.1.18 and therefore does not protect applications from the presence of untrusted client data in the HTTPPROXY environment variable, which might allow remote attackers to redirect ...

Improper Access Control in Apache Tomcat

Apache Tomcat 7.x through 7.0.70 and 8.x through 8.5.4, when the CGI Servlet is enabled, follows RFC 3875 section 4.1.18 and therefore does not protect applications from the presence of untrusted client data in the HTTPPROXY environment variable, which might allow remote attackers to redirect an...

GHSA-M6CH-GG5F-WXX3 HTTP Proxy header vulnerability

PHP through 7.0.8 does not attempt to address RFC 3875 section 4.1.18 namespace conflicts and therefore does not protect applications from the presence of untrusted client data in the HTTPPROXY environment variable, which might allow remote attackers to redirect an application's outbound HTTP...

HTTP Proxy header vulnerability

PHP through 7.0.8 does not attempt to address RFC 3875 section 4.1.18 namespace conflicts and therefore does not protect applications from the presence of untrusted client data in the HTTPPROXY environment variable, which might allow remote attackers to redirect an application's outbound HTTP...

Forced Browsing in Twisted

Twisted before 16.3.1 does not attempt to address RFC 3875 section 4.1.18 namespace conflicts and therefore does not protect CGI applications from the presence of untrusted client data in the HTTPPROXY environment variable, which might allow remote attackers to redirect a CGI application's outbou...

GHSA-3GQJ-CMXR-P4X2 Forced Browsing in Twisted

Twisted before 16.3.1 does not attempt to address RFC 3875 section 4.1.18 namespace conflicts and therefore does not protect CGI applications from the presence of untrusted client data in the HTTPPROXY environment variable, which might allow remote attackers to redirect a CGI application's outbou...

Exploit for OS Command Injection in Apache Tomcat

CVE-2019-0232 Vulnerability analysis and PoC for the Apache To...

CVE-2016-1000111

Twisted before 16.3.1 does not attempt to address RFC 3875 section 4.1.18 namespace conflicts and therefore does not protect CGI applications from the presence of untrusted client data in the HTTPPROXY environment variable, which might allow remote attackers to redirect a CGI application's outbou...

Design/Logic Flaw

Twisted before 16.3.1 does not attempt to address RFC 3875 section 4.1.18 namespace conflicts and therefore does not protect CGI applications from the presence of untrusted client data in the HTTPPROXY environment variable, which might allow remote attackers to redirect a CGI application's outbou...

CVE-2016-1000111

CVE-2016-1000111 affects Twisted before 16.3.1, where the Proxy header can initialize HTTP_PROXY for CGI scripts, enabling potential redirection of outbound traffic to an attacker-controlled proxy (httpoxy). Connected advisories (e.g., Red Hat RHSA-2018:0273, SUSE SUSE-SU-2017:0114-1, Ubuntu USN-...

CVE-2016-1000109

HHVM is vulnerable to an httpoxy-style issue where untrusted data in the HTTP_PROXY variable can redirect a CGI app’s outbound traffic to an arbitrary proxy. Affected HHVM ranges include pre-3.9.6, 3.10.0–3.12.4, and 3.13.0–3.14.2. The CVE-2016-1000109 description confirms the root cause as RFC 3...

UBUNTU-CVE-2016-1000107

inets in Erlang possibly 22.1 and earlier follows RFC 3875 section 4.1.18 and therefore does not protect applications from the presence of untrusted client data in the HTTPPROXY environment variable, which might allow remote attackers to redirect an application's outbound HTTP traffic to an...

CVE-2016-1000108

yaws before 2.0.4 does not attempt to address RFC 3875 section 4.1.18 namespace conflicts and therefore does not protect CGI applications from the presence of untrusted client data in the HTTPPROXY environment variable, which might allow remote attackers to redirect a CGI application's outbound...

CVE-2016-1000108

yaws before 2.0.4 does not attempt to address RFC 3875 section 4.1.18 namespace conflicts and therefore does not protect CGI applications from the presence of untrusted client data in the HTTPPROXY environment variable, which might allow remote attackers to redirect a CGI application's outbound...

Debian DLA-1883-1 : tomcat8 security update (httpoxy)

Several minor issues have been fixed in tomcat8, a Java Servlet and JSP engine. CVE-2016-5388 Apache Tomcat, when the CGI Servlet is enabled, follows RFC 3875 section 4.1.18 and therefore does not protect applications from the presence of untrusted client data in the HTTPPROXY environment variabl...

[SECURITY] [DLA 1883-1] tomcat8 security update

Package : tomcat8 Version : 8.0.14-1+deb8u15 CVE ID : CVE-2016-5388 CVE-2018-8014 CVE-2019-0221 Debian Bug : 929895 898935 Several minor issues have been fixed in tomcat8, a Java Servlet and JSP engine. CVE-2016-5388 Apache Tomcat, when the CGI Servlet is enabled, follows RFC 3875 section 4.1.18...

Tenable SecurityCenter Apache 2.4.x < 2.4.25 Multiple Vulnerabilities (TNS-2017-04) (httpoxy)

The Tenable SecurityCenter application installed on the remote host is missing a security patch. It is, therefore, affected by multiple vulnerabilities in the bundled version of Apache : - A flaw exists in the modsessioncrypto module due to encryption for data and cookies using the configured...

macOS : macOS Server < 5.2 Multiple Vulnerabilities (httpoxy)

The version of macOS Server formerly known as Mac OS X Server installed on the remote host is prior to 5.2. It is, therefore, affected by the following vulnerabilities : - The Apache HTTP Server is affected by a man-in-the-middle vulnerability known as 'httpoxy' due to a failure to properly resol...

CVE-2016-4694

The Apache HTTP Server in Apple OS X before 10.12 and OS X Server before 5.2 follows RFC 3875 section 4.1.18 and therefore does not protect applications from the presence of untrusted CGI client data in the HTTPPROXY environment variable, which might allow remote attackers to redirect an...