{"id":"CVE-2016-5388","details":"Apache Tomcat 7.x through 7.0.70 and 8.x through 8.5.4, when the CGI Servlet is enabled, follows RFC 3875 section 4.1.18 and therefore does not protect applications from the presence of untrusted client data in the HTTP_PROXY environment variable, which might allow remote attackers to redirect an application's outbound HTTP traffic to an arbitrary proxy server via a crafted Proxy header in an HTTP request, aka an \"httpoxy\" issue. NOTE: the vendor states \"A mitigation is planned for future releases of Tomcat, tracked as CVE-2016-5388\"; in other words, this is not a CVE ID for a vulnerability.","aliases":["GHSA-v646-rx6w-r3qq"],"modified":"2026-04-11T12:04:30.198913Z","published":"2016-07-19T02:00:20.820Z","related":["MGASA-2016-0312","SUSE-SU-2016:2188-1","SUSE-SU-2016:2229-1","SUSE-SU-2017:1632-1","SUSE-SU-2017:1660-1"],"database_specific":{"unresolved_ranges":[{"source":"CPE_FIELD","cpe":"cpe:2.3:a:apache:tomcat:*:*:*:*:*:*:*:*","extracted_events":[{"introduced":"6.0"},{"last_affected":"6.0.45"}]},{"source":"CPE_FIELD","cpe":"cpe:2.3:a:hp:system_management_homepage:*:*:*:*:*:*:*:*","extracted_events":[{"last_affected":"7.5.5.0"}]},{"source":"CPE_FIELD","cpe":"cpe:2.3:o:oracle:linux:6:*:*:*:*:*:*:*","extracted_events":[{"last_affected":"6"}]},{"source":"CPE_FIELD","cpe":"cpe:2.3:o:oracle:linux:7:*:*:*:*:*:*:*","extracted_events":[{"last_affected":"7"}]},{"source":"CPE_FIELD","cpe":"cpe:2.3:o:redhat:enterprise_linux_desktop:6.0:*:*:*:*:*:*:*","extracted_events":[{"last_affected":"6.0"}]},{"source":"CPE_FIELD","cpe":"cpe:2.3:o:redhat:enterprise_linux_hpc_node:6.0:*:*:*:*:*:*:*","extracted_events":[{"last_affected":"6.0"}]},{"source":"CPE_FIELD","cpe":"cpe:2.3:o:redhat:enterprise_linux_hpc_node_eus:7.2:*:*:*:*:*:*:*","extracted_events":[{"last_affected":"7.2"}]},{"source":"CPE_FIELD","cpe":"cpe:2.3:o:redhat:enterprise_linux_server:6.0:*:*:*:*:*:*:*","extracted_events":[{"last_affected":"6.0"}]},{"source":"CPE_FIELD","cpe":"cpe:2.3:o:redhat:enterprise_linux_server_aus:7.2:*:*:*:*:*:*:*","extracted_events":[{"last_affected":"7.2"}]},{"source":"CPE_FIELD","cpe":"cpe:2.3:o:redhat:enterprise_linux_server_eus:7.2:*:*:*:*:*:*:*","extracted_events":[{"last_affected":"7.2"}]},{"source":"CPE_FIELD","cpe":"cpe:2.3:o:redhat:enterprise_linux_server_tus:7.2:*:*:*:*:*:*:*","extracted_events":[{"last_affected":"7.2"}]},{"source":"CPE_FIELD","cpe":"cpe:2.3:o:redhat:enterprise_linux_workstation:6.0:*:*:*:*:*:*:*","extracted_events":[{"last_affected":"6.0"}]}]},"references":[{"type":"WEB","url":"https://lists.apache.org/thread.html/053d9ce4d579b02203db18545fee5e33f35f2932885459b74d1e4272%40%3Cissues.activemq.apache.org%3E"},{"type":"WEB","url":"https://lists.apache.org/thread.html/6b414817c2b0bf351138911c8c922ec5dd577ebc0b9a7f42d705752d%40%3Cissues.activemq.apache.org%3E"},{"type":"WEB","url":"https://lists.apache.org/thread.html/6d3d34adcf3dfc48e36342aa1f18ce3c20bb8e4c458a97508d5bfed1%40%3Cissues.activemq.apache.org%3E"},{"type":"WEB","url":"https://lists.apache.org/thread.html/r2853582063cfd9e7fbae1e029ae004e6a83482ae9b70a698996353dd%40%3Cusers.tomcat.apache.org%3E"},{"type":"WEB","url":"https://lists.apache.org/thread.html/rc6b2147532416cc736e68a32678d3947b7053c3085cf43a9874fd102%40%3Cusers.tomcat.apache.org%3E"},{"type":"WEB","url":"https://lists.apache.org/thread.html/rf21b368769ae70de4dee840a3228721ae442f1d51ad8742003aefe39%40%3Cusers.tomcat.apache.org%3E"},{"type":"WEB","url":"https://lists.debian.org/debian-lts-announce/2019/08/msg00015.html"},{"type":"ADVISORY","url":"http://lists.opensuse.org/opensuse-updates/2016-09/msg00025.html"},{"type":"ADVISORY","url":"http://rhn.redhat.com/errata/RHSA-2016-1624.html"},{"type":"ADVISORY","url":"http://rhn.redhat.com/errata/RHSA-2016-2045.html"},{"type":"ADVISORY","url":"http://rhn.redhat.com/errata/RHSA-2016-2046.html"},{"type":"ADVISORY","url":"http://www.kb.cert.org/vuls/id/797896"},{"type":"ADVISORY","url":"http://www.oracle.com/technetwork/topics/security/linuxbulletinoct2016-3090545.html"},{"type":"ADVISORY","url":"http://www.securityfocus.com/bid/91818"},{"type":"ADVISORY","url":"http://www.securitytracker.com/id/1036331"},{"type":"ADVISORY","url":"https://access.redhat.com/errata/RHSA-2016:1635"},{"type":"ADVISORY","url":"https://access.redhat.com/errata/RHSA-2016:1636"},{"type":"ADVISORY","url":"https://h20566.www2.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpesbhf03770en_us"},{"type":"ADVISORY","url":"https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05320149"},{"type":"ADVISORY","url":"https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05324759"},{"type":"ADVISORY","url":"https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05390722"},{"type":"ADVISORY","url":"https://httpoxy.org/"},{"type":"ADVISORY","url":"https://tomcat.apache.org/tomcat-7.0-doc/changelog.html"},{"type":"ADVISORY","url":"https://www.apache.org/security/asf-httpoxy-response.txt"},{"type":"FIX","url":"http://www.oracle.com/technetwork/security-advisory/cpujul2017-3236622.html"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/apache/tomcat","events":[{"introduced":"0"},{"last_affected":"e498667bd7811e846771a852b16ce9f1e524b81b"},{"last_affected":"3e5565173dfe107f90419ab63bd4e2e7edc9deb4"},{"introduced":"e498667bd7811e846771a852b16ce9f1e524b81b"},{"last_affected":"ff181ab22b2b18e77ab9e0f0c2cfe5cfa59c844c"}],"database_specific":{"source":"CPE_FIELD","cpe":["cpe:2.3:o:redhat:enterprise_linux_desktop:7.0:*:*:*:*:*:*:*","cpe:2.3:o:redhat:enterprise_linux_hpc_node:7.0:*:*:*:*:*:*:*","cpe:2.3:o:redhat:enterprise_linux_server:7.0:*:*:*:*:*:*:*","cpe:2.3:o:redhat:enterprise_linux_workstation:7.0:*:*:*:*:*:*:*","cpe:2.3:a:apache:tomcat:*:*:*:*:*:*:*:*"],"extracted_events":[{"introduced":"0"},{"last_affected":"7.0"},{"introduced":"8.0"},{"last_affected":"8.5.4"},{"introduced":"7.0"},{"last_affected":"7.0.70"}]}}],"versions":["7.0.0","7.0.70","8.5.4"],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2016-5388.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H"}]}