CVE-2016-5385

8.1HIGH

Key Information:

Vendor
Oracle
Status
Enterprise Manager Ops Center
Communications User Data Repository
Linux
Vendor
CVE Published:
19 July 2016

Summary

PHP through 7.0.8 does not attempt to address RFC 3875 section 4.1.18 namespace conflicts and therefore does not protect applications from the presence of untrusted client data in the HTTP_PROXY environment variable, which might allow remote attackers to redirect an application's outbound HTTP traffic to an arbitrary proxy server via a crafted Proxy header in an HTTP request, as demonstrated by (1) an application that makes a getenv('HTTP_PROXY') call or (2) a CGI configuration of PHP, aka an "httpoxy" issue.

References

https://lists.fedoraproject.org/archives/list/package-ann...
vendor-advisoryx_refsource_FEDORA
https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/do...
x_refsource_CONFIRM
https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/do...
x_refsource_CONFIRM

EPSS Score

94% chance of being exploited in the next 30 days.

CVSS V3.1

Score:
8.1
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
High
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.