CVE-2016-5386 - Improper Access Control

Severity

68%

Complexity

86%

Confidentiality

106%

The net/http package in Go through 1.6 does not attempt to address RFC 3875 section 4.1.18 namespace conflicts and therefore does not protect CGI applications from the presence of untrusted client data in the HTTP_PROXY environment variable, which might allow remote attackers to redirect a CGI application's outbound HTTP traffic to an arbitrary proxy server via a crafted Proxy header in an HTTP request, aka an "httpoxy" issue.

CVSS 3.0 Base Score 8.1. CVSS Attack Vector: network. CVSS Attack Complexity: high. CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H).

CVSS 2.0 Base Score 6.8. CVSS Attack Vector: network. CVSS Attack Complexity: medium. CVSS Vector: (AV:N/AC:M/Au:N/C:P/I:P/A:P).

Overview

First reported 8 years ago

2016-07-19 02:00:00

Last updated 5 years ago

2019-12-27 16:08:00

Affected Software

Fedora Project Fedora 23

23

Fedora 24

24

RedHat Enterprise Linux Server 7.0

7.0

Red Hat Enterprise Linux Server AUS 7.2

7.2

Red Hat Enterprise Linux Server EUS 7.2

7.2

References

RHSA-2016:1538

Third Party Advisory

VU#797896

Third Party Advisory, US Government Resource

http://www.oracle.com/technetwork/security-advisory/cpujul2017-3236622.html

http://www.oracle.com/technetwork/topics/security/linuxbulletinjul2016-3090544.html

Third Party Advisory

https://bugzilla.redhat.com/show_bug.cgi?id=1353798

Issue Tracking, Third Party Advisory

https://h20566.www2.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpesbhf03770en_us

Stay updated

ExploitPedia is constantly evolving. Sign up to receive a notification when we release additional functionality.

Get in touch

If you'd like to report a bug or have any suggestions for improvements then please do get in touch with us using this form. We will get back to you as soon as we can.