CVSS2
Attack Vector
NETWORK
Attack Complexity
HIGH
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:H/Au:N/C:P/I:P/A:P
CVSS3
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS
Percentile
99.3%
Apache Tomcat 7.x through 7.0.70 and 8.x through 8.5.4, when the CGI
Servlet is enabled, follows RFC 3875 section 4.1.18 and therefore does not
protect applications from the presence of untrusted client data in the
HTTP_PROXY environment variable, which might allow remote attackers to
redirect an application’s outbound HTTP traffic to an arbitrary proxy
server via a crafted Proxy header in an HTTP request, aka an “httpoxy”
issue. NOTE: the vendor states “A mitigation is planned for future releases
of Tomcat, tracked as CVE-2016-5388”; in other words, this is not a CVE ID
for a vulnerability.
Author | Note |
---|---|
mdeslaur | setting priority to low, see upstream response for workarounds for specific environments |
OS | Version | Architecture | Package | Version | Filename |
---|---|---|---|---|---|
ubuntu | 12.04 | noarch | tomcat6 | < 6.0.35-1ubuntu3.9 | UNKNOWN |
ubuntu | 14.04 | noarch | tomcat6 | < any | UNKNOWN |
ubuntu | 16.04 | noarch | tomcat6 | < any | UNKNOWN |
ubuntu | 18.04 | noarch | tomcat7 | < any | UNKNOWN |
ubuntu | 14.04 | noarch | tomcat7 | < 7.0.52-1ubuntu0.8 | UNKNOWN |
ubuntu | 16.04 | noarch | tomcat7 | < 7.0.68-1ubuntu0.4+esm1 | UNKNOWN |
ubuntu | 16.04 | noarch | tomcat8 | < 8.0.32-1ubuntu1.3 | UNKNOWN |
CVSS2
Attack Vector
NETWORK
Attack Complexity
HIGH
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:H/Au:N/C:P/I:P/A:P
CVSS3
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS
Percentile
99.3%