Untrusted CGI Client Data Vulnerability in Apache HTTP Server for Apple OS X
CVE-2016-4694

9.1CRITICAL

Key Information:

Vendor

Apple
Status
Mac Os X
Os X Server
Vendor
CVE Published:
25 September 2016

What is CVE-2016-4694?

The Apache HTTP Server on specific versions of Apple OS X and OS X Server is vulnerable due to its failure to adequately handle untrusted CGI client data in the HTTP_PROXY environment variable. This weakness can enable remote attackers to potentially hijack applications' outbound HTTP communications by using a specially crafted Proxy header in HTTP requests, leading to unintended redirection to arbitrary proxy servers. Such behavior can be exploited to intercept or manipulate the traffic of affected applications, raising significant security concerns.

References

http://www.securityfocus.com/bid/93060
vdb-entryx_refsource_BID
https://support.apple.com/HT207171
x_refsource_CONFIRM
http://lists.apple.com/archives/security-announce/2016/Se...
vendor-advisoryx_refsource_APPLE

CVSS V3.1

Score:
9.1
Severity:
CRITICAL
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.
CVE-2016-4694 : Untrusted CGI Client Data Vulnerability in Apache HTTP Server for Apple OS X