#VU337 Httpoxy issue - CVE-2016-5387
Published: August 20, 2016 / Updated: December 21, 2016
Vulnerability identifier: #VU337
Vulnerability risk: Medium
CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/U:Green
CVE-ID: CVE-2016-5387
CWE-ID: CWE-284
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vulnerable software:
Software vendor:
Description
The vulnerability allows a remote attacker to obtain potentially sensitive information and compromise vulnerable server.
The vulnerability exists due to a design error in multiple implementations of web servers. A remote unauthenticated attacker can use a specially crafted Proxy header in HTTP request to influence HTTP_PROXY environment variable and redirect application’s HTTP traffic to arbitrary proxy server.
Successful exploitation of this vulnerability may allow an attacker to gain unauthorized access to sensitive information and compromise vulnerable server.
This vulnerability is known as httppoxy.