Vulnerability-Lookup

RHSA-2016:1635

Vulnerability from csaf_redhat - Published: 2016-08-18 18:20 - Updated: 2026-03-18 01:43

Summary

Red Hat Security Advisory: Red Hat JBoss Web Server 3.0.3 Service Pack 1 security update

Severity

Important

Notes

Topic: Updated packages that provide Red Hat JBoss Web Server 3.0.3 Service Pack 1 and fixes two security issues and a bug with ajp processors are now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Details: This release of Red Hat JBoss Web Server 3.0.3 Service Pack 1 serves as a update for Red Hat JBoss Web Server 3.0.3 httpd and tomcat. Security Fix(es): * It was discovered that httpd used the value of the Proxy header from HTTP requests to initialize the HTTP_PROXY environment variable for CGI scripts, which in turn was incorrectly used by certain HTTP client implementations to configure the proxy for outgoing HTTP requests. A remote attacker could possibly use this flaw to redirect HTTP requests performed by a CGI script to an attacker-controlled proxy via a malicious HTTP request. (CVE-2016-5387) * It was discovered that tomcat used the value of the Proxy header from HTTP requests to initialize the HTTP_PROXY environment variable for CGI scripts, which in turn was incorrectly used by certain HTTP client implementations to configure the proxy for outgoing HTTP requests. A remote attacker could possibly use this flaw to redirect HTTP requests performed by a CGI script to an attacker-controlled proxy via a malicious HTTP request. (CVE-2016-5388) Note: After this update, httpd will no longer pass the value of the Proxy request header to scripts via the HTTP_PROXY environment variable. Red Hat would like to thank Scott Geary (VendHQ) for reporting these issues.

Terms of Use: This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.

CVE-2016-5387

It was discovered that httpd used the value of the Proxy header from HTTP requests to initialize the HTTP_PROXY environment variable for CGI scripts, which in turn was incorrectly used by certain HTTP client implementations to configure the proxy for outgoing HTTP requests. A remote attacker could possibly use this flaw to redirect HTTP requests performed by a CGI script to an attacker-controlled proxy via a malicious HTTP request.

5.0 (Medium)


                        
                          CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:L/A:N

CWE-20 - Improper Input Validation

Vendor Fix For details on how to apply this update, which includes the changes described in this advisory, refer to: https://access.redhat.com/articles/11258 After installing the updated packages, the httpd daemon will be restarted automatically. After installing the updated packages, follow the instructions in this knowledgebase article to configure Tomcat: https://access.redhat.com/solutions/2435491 https://access.redhat.com/errata/RHSA-2016:1635

CVE-2016-5388

It was discovered that tomcat used the value of the Proxy header from HTTP requests to initialize the HTTP_PROXY environment variable for CGI scripts, which in turn was incorrectly used by certain HTTP client implementations to configure the proxy for outgoing HTTP requests. A remote attacker could possibly use this flaw to redirect HTTP requests performed by a CGI script to an attacker-controlled proxy via a malicious HTTP request.

3.5 (Low)


                        
                          CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:C/C:N/I:L/A:N

CWE-20 - Improper Input Validation

References

URL

Category

	https://access.redhat.com/errata/RHSA-2016:1635	self
	https://access.redhat.com/security/updates/classi…	external
	https://access.redhat.com/documentation/en-US/Red…	external
	https://access.redhat.com/security/vulnerabilitie…	external
	https://access.redhat.com/solutions/2435491	external
	https://bugzilla.redhat.com/show_bug.cgi?id=1353755	external
	https://bugzilla.redhat.com/show_bug.cgi?id=1353809	external
	https://issues.redhat.com/browse/JWS-483	external
	https://security.access.redhat.com/data/csaf/v2/a…	self
	https://access.redhat.com/security/cve/CVE-2016-5387	self
	https://bugzilla.redhat.com/show_bug.cgi?id=1353755	external
	https://www.cve.org/CVERecord?id=CVE-2016-5387	external
	https://nvd.nist.gov/vuln/detail/CVE-2016-5387	external
	https://access.redhat.com/security/vulnerabilitie…	external
	https://httpoxy.org/	external
	https://www.apache.org/security/asf-httpoxy-respo…	external
	https://access.redhat.com/security/cve/CVE-2016-5388	self
	https://bugzilla.redhat.com/show_bug.cgi?id=1353809	external
	https://www.cve.org/CVERecord?id=CVE-2016-5388	external
	https://nvd.nist.gov/vuln/detail/CVE-2016-5388	external

Acknowledgments

VendHQ Scott Geary

JSON

To clipboard

{
  "document": {
    "aggregate_severity": {
      "namespace": "https://access.redhat.com/security/updates/classification/",
      "text": "Important"
    },
    "category": "csaf_security_advisory",
    "csaf_version": "2.0",
    "distribution": {
      "text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "en",
    "notes": [
      {
        "category": "summary",
        "text": "Updated packages that provide Red Hat JBoss Web Server 3.0.3 Service Pack 1 and fixes two security issues and a bug with ajp processors are now available for Red Hat Enterprise Linux 7.\n\nRed Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.",
        "title": "Topic"
      },
      {
        "category": "general",
        "text": "This release of Red Hat JBoss Web Server 3.0.3 Service Pack 1 serves as a update for Red Hat JBoss Web Server 3.0.3 httpd and tomcat.\n\nSecurity Fix(es):\n\n* It was discovered that httpd used the value of the Proxy header from HTTP requests to initialize the HTTP_PROXY environment variable for CGI scripts, which in turn was incorrectly used by certain HTTP client implementations to configure the proxy for outgoing HTTP requests. A remote attacker could possibly use this flaw to redirect HTTP requests performed by a CGI script to an attacker-controlled proxy via a malicious HTTP request. (CVE-2016-5387)\n\n* It was discovered that tomcat used the value of the Proxy header from HTTP requests to initialize the HTTP_PROXY environment variable for CGI scripts, which in turn was incorrectly used by certain HTTP client implementations to configure the proxy for outgoing HTTP requests. A remote attacker could possibly use this flaw to redirect HTTP requests performed by a CGI script to an attacker-controlled proxy via a malicious HTTP request. (CVE-2016-5388)\n\nNote: After this update, httpd will no longer pass the value of the Proxy request header to scripts via the HTTP_PROXY environment variable.\n\nRed Hat would like to thank Scott Geary (VendHQ) for reporting these issues.",
        "title": "Details"
      },
      {
        "category": "legal_disclaimer",
        "text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
        "title": "Terms of Use"
      }
    ],
    "publisher": {
      "category": "vendor",
      "contact_details": "https://access.redhat.com/security/team/contact/",
      "issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
      "name": "Red Hat Product Security",
      "namespace": "https://www.redhat.com"
    },
    "references": [
      {
        "category": "self",
        "summary": "https://access.redhat.com/errata/RHSA-2016:1635",
        "url": "https://access.redhat.com/errata/RHSA-2016:1635"
      },
      {
        "category": "external",
        "summary": "https://access.redhat.com/security/updates/classification/#important",
        "url": "https://access.redhat.com/security/updates/classification/#important"
      },
      {
        "category": "external",
        "summary": "https://access.redhat.com/documentation/en-US/Red_Hat_JBoss_Web_Server/3/html-single/3.0.3_Release_Notes/index.html",
        "url": "https://access.redhat.com/documentation/en-US/Red_Hat_JBoss_Web_Server/3/html-single/3.0.3_Release_Notes/index.html"
      },
      {
        "category": "external",
        "summary": "https://access.redhat.com/security/vulnerabilities/httpoxy",
        "url": "https://access.redhat.com/security/vulnerabilities/httpoxy"
      },
      {
        "category": "external",
        "summary": "https://access.redhat.com/solutions/2435491",
        "url": "https://access.redhat.com/solutions/2435491"
      },
      {
        "category": "external",
        "summary": "1353755",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1353755"
      },
      {
        "category": "external",
        "summary": "1353809",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1353809"
      },
      {
        "category": "external",
        "summary": "JWS-483",
        "url": "https://issues.redhat.com/browse/JWS-483"
      },
      {
        "category": "self",
        "summary": "Canonical URL",
        "url": "https://security.access.redhat.com/data/csaf/v2/advisories/2016/rhsa-2016_1635.json"
      }
    ],
    "title": "Red Hat Security Advisory: Red Hat JBoss Web Server 3.0.3 Service Pack 1 security update",
    "tracking": {
      "current_release_date": "2026-03-18T01:43:38+00:00",
      "generator": {
        "date": "2026-03-18T01:43:38+00:00",
        "engine": {
          "name": "Red Hat SDEngine",
          "version": "4.7.3"
        }
      },
      "id": "RHSA-2016:1635",
      "initial_release_date": "2016-08-18T18:20:54+00:00",
      "revision_history": [
        {
          "date": "2016-08-18T18:20:54+00:00",
          "number": "1",
          "summary": "Initial version"
        },
        {
          "date": "2016-08-18T18:20:54+00:00",
          "number": "2",
          "summary": "Last updated version"
        },
        {
          "date": "2026-03-18T01:43:38+00:00",
          "number": "3",
          "summary": "Last generated version"
        }
      ],
      "status": "final",
      "version": "3"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_name",
                "name": "Red Hat JBoss Web Server 3.0 for RHEL 7",
                "product": {
                  "name": "Red Hat JBoss Web Server 3.0 for RHEL 7",
                  "product_id": "7Server-JWS-3.0",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:redhat:jboss_enterprise_web_server:3.0::el7"
                  }
                }
              }
            ],
            "category": "product_family",
            "name": "Red Hat JBoss Web Server"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "tomcat7-webapps-0:7.0.59-51_patch_01.ep7.el7.noarch",
                "product": {
                  "name": "tomcat7-webapps-0:7.0.59-51_patch_01.ep7.el7.noarch",
                  "product_id": "tomcat7-webapps-0:7.0.59-51_patch_01.ep7.el7.noarch",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/tomcat7-webapps@7.0.59-51_patch_01.ep7.el7?arch=noarch"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "tomcat7-log4j-0:7.0.59-51_patch_01.ep7.el7.noarch",
                "product": {
                  "name": "tomcat7-log4j-0:7.0.59-51_patch_01.ep7.el7.noarch",
                  "product_id": "tomcat7-log4j-0:7.0.59-51_patch_01.ep7.el7.noarch",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/tomcat7-log4j@7.0.59-51_patch_01.ep7.el7?arch=noarch"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "tomcat7-admin-webapps-0:7.0.59-51_patch_01.ep7.el7.noarch",
                "product": {
                  "name": "tomcat7-admin-webapps-0:7.0.59-51_patch_01.ep7.el7.noarch",
                  "product_id": "tomcat7-admin-webapps-0:7.0.59-51_patch_01.ep7.el7.noarch",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/tomcat7-admin-webapps@7.0.59-51_patch_01.ep7.el7?arch=noarch"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "tomcat7-javadoc-0:7.0.59-51_patch_01.ep7.el7.noarch",
                "product": {
                  "name": "tomcat7-javadoc-0:7.0.59-51_patch_01.ep7.el7.noarch",
                  "product_id": "tomcat7-javadoc-0:7.0.59-51_patch_01.ep7.el7.noarch",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/tomcat7-javadoc@7.0.59-51_patch_01.ep7.el7?arch=noarch"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "tomcat7-jsp-2.2-api-0:7.0.59-51_patch_01.ep7.el7.noarch",
                "product": {
                  "name": "tomcat7-jsp-2.2-api-0:7.0.59-51_patch_01.ep7.el7.noarch",
                  "product_id": "tomcat7-jsp-2.2-api-0:7.0.59-51_patch_01.ep7.el7.noarch",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/tomcat7-jsp-2.2-api@7.0.59-51_patch_01.ep7.el7?arch=noarch"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "tomcat7-0:7.0.59-51_patch_01.ep7.el7.noarch",
                "product": {
                  "name": "tomcat7-0:7.0.59-51_patch_01.ep7.el7.noarch",
                  "product_id": "tomcat7-0:7.0.59-51_patch_01.ep7.el7.noarch",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/tomcat7@7.0.59-51_patch_01.ep7.el7?arch=noarch"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "tomcat7-el-2.2-api-0:7.0.59-51_patch_01.ep7.el7.noarch",
                "product": {
                  "name": "tomcat7-el-2.2-api-0:7.0.59-51_patch_01.ep7.el7.noarch",
                  "product_id": "tomcat7-el-2.2-api-0:7.0.59-51_patch_01.ep7.el7.noarch",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/tomcat7-el-2.2-api@7.0.59-51_patch_01.ep7.el7?arch=noarch"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "tomcat7-docs-webapp-0:7.0.59-51_patch_01.ep7.el7.noarch",
                "product": {
                  "name": "tomcat7-docs-webapp-0:7.0.59-51_patch_01.ep7.el7.noarch",
                  "product_id": "tomcat7-docs-webapp-0:7.0.59-51_patch_01.ep7.el7.noarch",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/tomcat7-docs-webapp@7.0.59-51_patch_01.ep7.el7?arch=noarch"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "tomcat7-servlet-3.0-api-0:7.0.59-51_patch_01.ep7.el7.noarch",
                "product": {
                  "name": "tomcat7-servlet-3.0-api-0:7.0.59-51_patch_01.ep7.el7.noarch",
                  "product_id": "tomcat7-servlet-3.0-api-0:7.0.59-51_patch_01.ep7.el7.noarch",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/tomcat7-servlet-3.0-api@7.0.59-51_patch_01.ep7.el7?arch=noarch"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "tomcat7-lib-0:7.0.59-51_patch_01.ep7.el7.noarch",
                "product": {
                  "name": "tomcat7-lib-0:7.0.59-51_patch_01.ep7.el7.noarch",
                  "product_id": "tomcat7-lib-0:7.0.59-51_patch_01.ep7.el7.noarch",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/tomcat7-lib@7.0.59-51_patch_01.ep7.el7?arch=noarch"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "tomcat8-el-2.2-api-0:8.0.18-62_patch_01.ep7.el7.noarch",
                "product": {
                  "name": "tomcat8-el-2.2-api-0:8.0.18-62_patch_01.ep7.el7.noarch",
                  "product_id": "tomcat8-el-2.2-api-0:8.0.18-62_patch_01.ep7.el7.noarch",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/tomcat8-el-2.2-api@8.0.18-62_patch_01.ep7.el7?arch=noarch"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "tomcat8-log4j-0:8.0.18-62_patch_01.ep7.el7.noarch",
                "product": {
                  "name": "tomcat8-log4j-0:8.0.18-62_patch_01.ep7.el7.noarch",
                  "product_id": "tomcat8-log4j-0:8.0.18-62_patch_01.ep7.el7.noarch",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/tomcat8-log4j@8.0.18-62_patch_01.ep7.el7?arch=noarch"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "tomcat8-servlet-3.1-api-0:8.0.18-62_patch_01.ep7.el7.noarch",
                "product": {
                  "name": "tomcat8-servlet-3.1-api-0:8.0.18-62_patch_01.ep7.el7.noarch",
                  "product_id": "tomcat8-servlet-3.1-api-0:8.0.18-62_patch_01.ep7.el7.noarch",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/tomcat8-servlet-3.1-api@8.0.18-62_patch_01.ep7.el7?arch=noarch"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "tomcat8-javadoc-0:8.0.18-62_patch_01.ep7.el7.noarch",
                "product": {
                  "name": "tomcat8-javadoc-0:8.0.18-62_patch_01.ep7.el7.noarch",
                  "product_id": "tomcat8-javadoc-0:8.0.18-62_patch_01.ep7.el7.noarch",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/tomcat8-javadoc@8.0.18-62_patch_01.ep7.el7?arch=noarch"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "tomcat8-0:8.0.18-62_patch_01.ep7.el7.noarch",
                "product": {
                  "name": "tomcat8-0:8.0.18-62_patch_01.ep7.el7.noarch",
                  "product_id": "tomcat8-0:8.0.18-62_patch_01.ep7.el7.noarch",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/tomcat8@8.0.18-62_patch_01.ep7.el7?arch=noarch"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "tomcat8-admin-webapps-0:8.0.18-62_patch_01.ep7.el7.noarch",
                "product": {
                  "name": "tomcat8-admin-webapps-0:8.0.18-62_patch_01.ep7.el7.noarch",
                  "product_id": "tomcat8-admin-webapps-0:8.0.18-62_patch_01.ep7.el7.noarch",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/tomcat8-admin-webapps@8.0.18-62_patch_01.ep7.el7?arch=noarch"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "tomcat8-jsp-2.3-api-0:8.0.18-62_patch_01.ep7.el7.noarch",
                "product": {
                  "name": "tomcat8-jsp-2.3-api-0:8.0.18-62_patch_01.ep7.el7.noarch",
                  "product_id": "tomcat8-jsp-2.3-api-0:8.0.18-62_patch_01.ep7.el7.noarch",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/tomcat8-jsp-2.3-api@8.0.18-62_patch_01.ep7.el7?arch=noarch"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "tomcat8-docs-webapp-0:8.0.18-62_patch_01.ep7.el7.noarch",
                "product": {
                  "name": "tomcat8-docs-webapp-0:8.0.18-62_patch_01.ep7.el7.noarch",
                  "product_id": "tomcat8-docs-webapp-0:8.0.18-62_patch_01.ep7.el7.noarch",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/tomcat8-docs-webapp@8.0.18-62_patch_01.ep7.el7?arch=noarch"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "tomcat8-webapps-0:8.0.18-62_patch_01.ep7.el7.noarch",
                "product": {
                  "name": "tomcat8-webapps-0:8.0.18-62_patch_01.ep7.el7.noarch",
                  "product_id": "tomcat8-webapps-0:8.0.18-62_patch_01.ep7.el7.noarch",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/tomcat8-webapps@8.0.18-62_patch_01.ep7.el7?arch=noarch"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "tomcat8-lib-0:8.0.18-62_patch_01.ep7.el7.noarch",
                "product": {
                  "name": "tomcat8-lib-0:8.0.18-62_patch_01.ep7.el7.noarch",
                  "product_id": "tomcat8-lib-0:8.0.18-62_patch_01.ep7.el7.noarch",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/tomcat8-lib@8.0.18-62_patch_01.ep7.el7?arch=noarch"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "httpd24-manual-0:2.4.6-62.ep7.el7.noarch",
                "product": {
                  "name": "httpd24-manual-0:2.4.6-62.ep7.el7.noarch",
                  "product_id": "httpd24-manual-0:2.4.6-62.ep7.el7.noarch",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/httpd24-manual@2.4.6-62.ep7.el7?arch=noarch"
                  }
                }
              }
            ],
            "category": "architecture",
            "name": "noarch"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "tomcat7-0:7.0.59-51_patch_01.ep7.el7.src",
                "product": {
                  "name": "tomcat7-0:7.0.59-51_patch_01.ep7.el7.src",
                  "product_id": "tomcat7-0:7.0.59-51_patch_01.ep7.el7.src",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/tomcat7@7.0.59-51_patch_01.ep7.el7?arch=src"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "tomcat8-0:8.0.18-62_patch_01.ep7.el7.src",
                "product": {
                  "name": "tomcat8-0:8.0.18-62_patch_01.ep7.el7.src",
                  "product_id": "tomcat8-0:8.0.18-62_patch_01.ep7.el7.src",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/tomcat8@8.0.18-62_patch_01.ep7.el7?arch=src"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "httpd24-0:2.4.6-62.ep7.el7.src",
                "product": {
                  "name": "httpd24-0:2.4.6-62.ep7.el7.src",
                  "product_id": "httpd24-0:2.4.6-62.ep7.el7.src",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/httpd24@2.4.6-62.ep7.el7?arch=src"
                  }
                }
              }
            ],
            "category": "architecture",
            "name": "src"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "mod_session24-0:2.4.6-62.ep7.el7.x86_64",
                "product": {
                  "name": "mod_session24-0:2.4.6-62.ep7.el7.x86_64",
                  "product_id": "mod_session24-0:2.4.6-62.ep7.el7.x86_64",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/mod_session24@2.4.6-62.ep7.el7?arch=x86_64"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "httpd24-0:2.4.6-62.ep7.el7.x86_64",
                "product": {
                  "name": "httpd24-0:2.4.6-62.ep7.el7.x86_64",
                  "product_id": "httpd24-0:2.4.6-62.ep7.el7.x86_64",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/httpd24@2.4.6-62.ep7.el7?arch=x86_64"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "httpd24-tools-0:2.4.6-62.ep7.el7.x86_64",
                "product": {
                  "name": "httpd24-tools-0:2.4.6-62.ep7.el7.x86_64",
                  "product_id": "httpd24-tools-0:2.4.6-62.ep7.el7.x86_64",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/httpd24-tools@2.4.6-62.ep7.el7?arch=x86_64"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "mod_ssl24-1:2.4.6-62.ep7.el7.x86_64",
                "product": {
                  "name": "mod_ssl24-1:2.4.6-62.ep7.el7.x86_64",
                  "product_id": "mod_ssl24-1:2.4.6-62.ep7.el7.x86_64",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/mod_ssl24@2.4.6-62.ep7.el7?arch=x86_64\u0026epoch=1"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "httpd24-debuginfo-0:2.4.6-62.ep7.el7.x86_64",
                "product": {
                  "name": "httpd24-debuginfo-0:2.4.6-62.ep7.el7.x86_64",
                  "product_id": "httpd24-debuginfo-0:2.4.6-62.ep7.el7.x86_64",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/httpd24-debuginfo@2.4.6-62.ep7.el7?arch=x86_64"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "mod_ldap24-0:2.4.6-62.ep7.el7.x86_64",
                "product": {
                  "name": "mod_ldap24-0:2.4.6-62.ep7.el7.x86_64",
                  "product_id": "mod_ldap24-0:2.4.6-62.ep7.el7.x86_64",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/mod_ldap24@2.4.6-62.ep7.el7?arch=x86_64"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "httpd24-devel-0:2.4.6-62.ep7.el7.x86_64",
                "product": {
                  "name": "httpd24-devel-0:2.4.6-62.ep7.el7.x86_64",
                  "product_id": "httpd24-devel-0:2.4.6-62.ep7.el7.x86_64",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/httpd24-devel@2.4.6-62.ep7.el7?arch=x86_64"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "mod_proxy24_html-1:2.4.6-62.ep7.el7.x86_64",
                "product": {
                  "name": "mod_proxy24_html-1:2.4.6-62.ep7.el7.x86_64",
                  "product_id": "mod_proxy24_html-1:2.4.6-62.ep7.el7.x86_64",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/mod_proxy24_html@2.4.6-62.ep7.el7?arch=x86_64\u0026epoch=1"
                  }
                }
              }
            ],
            "category": "architecture",
            "name": "x86_64"
          }
        ],
        "category": "vendor",
        "name": "Red Hat"
      }
    ],
    "relationships": [
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "httpd24-0:2.4.6-62.ep7.el7.src as a component of Red Hat JBoss Web Server 3.0 for RHEL 7",
          "product_id": "7Server-JWS-3.0:httpd24-0:2.4.6-62.ep7.el7.src"
        },
        "product_reference": "httpd24-0:2.4.6-62.ep7.el7.src",
        "relates_to_product_reference": "7Server-JWS-3.0"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "httpd24-0:2.4.6-62.ep7.el7.x86_64 as a component of Red Hat JBoss Web Server 3.0 for RHEL 7",
          "product_id": "7Server-JWS-3.0:httpd24-0:2.4.6-62.ep7.el7.x86_64"
        },
        "product_reference": "httpd24-0:2.4.6-62.ep7.el7.x86_64",
        "relates_to_product_reference": "7Server-JWS-3.0"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "httpd24-debuginfo-0:2.4.6-62.ep7.el7.x86_64 as a component of Red Hat JBoss Web Server 3.0 for RHEL 7",
          "product_id": "7Server-JWS-3.0:httpd24-debuginfo-0:2.4.6-62.ep7.el7.x86_64"
        },
        "product_reference": "httpd24-debuginfo-0:2.4.6-62.ep7.el7.x86_64",
        "relates_to_product_reference": "7Server-JWS-3.0"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "httpd24-devel-0:2.4.6-62.ep7.el7.x86_64 as a component of Red Hat JBoss Web Server 3.0 for RHEL 7",
          "product_id": "7Server-JWS-3.0:httpd24-devel-0:2.4.6-62.ep7.el7.x86_64"
        },
        "product_reference": "httpd24-devel-0:2.4.6-62.ep7.el7.x86_64",
        "relates_to_product_reference": "7Server-JWS-3.0"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "httpd24-manual-0:2.4.6-62.ep7.el7.noarch as a component of Red Hat JBoss Web Server 3.0 for RHEL 7",
          "product_id": "7Server-JWS-3.0:httpd24-manual-0:2.4.6-62.ep7.el7.noarch"
        },
        "product_reference": "httpd24-manual-0:2.4.6-62.ep7.el7.noarch",
        "relates_to_product_reference": "7Server-JWS-3.0"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "httpd24-tools-0:2.4.6-62.ep7.el7.x86_64 as a component of Red Hat JBoss Web Server 3.0 for RHEL 7",
          "product_id": "7Server-JWS-3.0:httpd24-tools-0:2.4.6-62.ep7.el7.x86_64"
        },
        "product_reference": "httpd24-tools-0:2.4.6-62.ep7.el7.x86_64",
        "relates_to_product_reference": "7Server-JWS-3.0"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "mod_ldap24-0:2.4.6-62.ep7.el7.x86_64 as a component of Red Hat JBoss Web Server 3.0 for RHEL 7",
          "product_id": "7Server-JWS-3.0:mod_ldap24-0:2.4.6-62.ep7.el7.x86_64"
        },
        "product_reference": "mod_ldap24-0:2.4.6-62.ep7.el7.x86_64",
        "relates_to_product_reference": "7Server-JWS-3.0"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "mod_proxy24_html-1:2.4.6-62.ep7.el7.x86_64 as a component of Red Hat JBoss Web Server 3.0 for RHEL 7",
          "product_id": "7Server-JWS-3.0:mod_proxy24_html-1:2.4.6-62.ep7.el7.x86_64"
        },
        "product_reference": "mod_proxy24_html-1:2.4.6-62.ep7.el7.x86_64",
        "relates_to_product_reference": "7Server-JWS-3.0"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "mod_session24-0:2.4.6-62.ep7.el7.x86_64 as a component of Red Hat JBoss Web Server 3.0 for RHEL 7",
          "product_id": "7Server-JWS-3.0:mod_session24-0:2.4.6-62.ep7.el7.x86_64"
        },
        "product_reference": "mod_session24-0:2.4.6-62.ep7.el7.x86_64",
        "relates_to_product_reference": "7Server-JWS-3.0"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "mod_ssl24-1:2.4.6-62.ep7.el7.x86_64 as a component of Red Hat JBoss Web Server 3.0 for RHEL 7",
          "product_id": "7Server-JWS-3.0:mod_ssl24-1:2.4.6-62.ep7.el7.x86_64"
        },
        "product_reference": "mod_ssl24-1:2.4.6-62.ep7.el7.x86_64",
        "relates_to_product_reference": "7Server-JWS-3.0"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "tomcat7-0:7.0.59-51_patch_01.ep7.el7.noarch as a component of Red Hat JBoss Web Server 3.0 for RHEL 7",
          "product_id": "7Server-JWS-3.0:tomcat7-0:7.0.59-51_patch_01.ep7.el7.noarch"
        },
        "product_reference": "tomcat7-0:7.0.59-51_patch_01.ep7.el7.noarch",
        "relates_to_product_reference": "7Server-JWS-3.0"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "tomcat7-0:7.0.59-51_patch_01.ep7.el7.src as a component of Red Hat JBoss Web Server 3.0 for RHEL 7",
          "product_id": "7Server-JWS-3.0:tomcat7-0:7.0.59-51_patch_01.ep7.el7.src"
        },
        "product_reference": "tomcat7-0:7.0.59-51_patch_01.ep7.el7.src",
        "relates_to_product_reference": "7Server-JWS-3.0"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "tomcat7-admin-webapps-0:7.0.59-51_patch_01.ep7.el7.noarch as a component of Red Hat JBoss Web Server 3.0 for RHEL 7",
          "product_id": "7Server-JWS-3.0:tomcat7-admin-webapps-0:7.0.59-51_patch_01.ep7.el7.noarch"
        },
        "product_reference": "tomcat7-admin-webapps-0:7.0.59-51_patch_01.ep7.el7.noarch",
        "relates_to_product_reference": "7Server-JWS-3.0"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "tomcat7-docs-webapp-0:7.0.59-51_patch_01.ep7.el7.noarch as a component of Red Hat JBoss Web Server 3.0 for RHEL 7",
          "product_id": "7Server-JWS-3.0:tomcat7-docs-webapp-0:7.0.59-51_patch_01.ep7.el7.noarch"
        },
        "product_reference": "tomcat7-docs-webapp-0:7.0.59-51_patch_01.ep7.el7.noarch",
        "relates_to_product_reference": "7Server-JWS-3.0"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "tomcat7-el-2.2-api-0:7.0.59-51_patch_01.ep7.el7.noarch as a component of Red Hat JBoss Web Server 3.0 for RHEL 7",
          "product_id": "7Server-JWS-3.0:tomcat7-el-2.2-api-0:7.0.59-51_patch_01.ep7.el7.noarch"
        },
        "product_reference": "tomcat7-el-2.2-api-0:7.0.59-51_patch_01.ep7.el7.noarch",
        "relates_to_product_reference": "7Server-JWS-3.0"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "tomcat7-javadoc-0:7.0.59-51_patch_01.ep7.el7.noarch as a component of Red Hat JBoss Web Server 3.0 for RHEL 7",
          "product_id": "7Server-JWS-3.0:tomcat7-javadoc-0:7.0.59-51_patch_01.ep7.el7.noarch"
        },
        "product_reference": "tomcat7-javadoc-0:7.0.59-51_patch_01.ep7.el7.noarch",
        "relates_to_product_reference": "7Server-JWS-3.0"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "tomcat7-jsp-2.2-api-0:7.0.59-51_patch_01.ep7.el7.noarch as a component of Red Hat JBoss Web Server 3.0 for RHEL 7",
          "product_id": "7Server-JWS-3.0:tomcat7-jsp-2.2-api-0:7.0.59-51_patch_01.ep7.el7.noarch"
        },
        "product_reference": "tomcat7-jsp-2.2-api-0:7.0.59-51_patch_01.ep7.el7.noarch",
        "relates_to_product_reference": "7Server-JWS-3.0"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "tomcat7-lib-0:7.0.59-51_patch_01.ep7.el7.noarch as a component of Red Hat JBoss Web Server 3.0 for RHEL 7",
          "product_id": "7Server-JWS-3.0:tomcat7-lib-0:7.0.59-51_patch_01.ep7.el7.noarch"
        },
        "product_reference": "tomcat7-lib-0:7.0.59-51_patch_01.ep7.el7.noarch",
        "relates_to_product_reference": "7Server-JWS-3.0"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "tomcat7-log4j-0:7.0.59-51_patch_01.ep7.el7.noarch as a component of Red Hat JBoss Web Server 3.0 for RHEL 7",
          "product_id": "7Server-JWS-3.0:tomcat7-log4j-0:7.0.59-51_patch_01.ep7.el7.noarch"
        },
        "product_reference": "tomcat7-log4j-0:7.0.59-51_patch_01.ep7.el7.noarch",
        "relates_to_product_reference": "7Server-JWS-3.0"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "tomcat7-servlet-3.0-api-0:7.0.59-51_patch_01.ep7.el7.noarch as a component of Red Hat JBoss Web Server 3.0 for RHEL 7",
          "product_id": "7Server-JWS-3.0:tomcat7-servlet-3.0-api-0:7.0.59-51_patch_01.ep7.el7.noarch"
        },
        "product_reference": "tomcat7-servlet-3.0-api-0:7.0.59-51_patch_01.ep7.el7.noarch",
        "relates_to_product_reference": "7Server-JWS-3.0"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "tomcat7-webapps-0:7.0.59-51_patch_01.ep7.el7.noarch as a component of Red Hat JBoss Web Server 3.0 for RHEL 7",
          "product_id": "7Server-JWS-3.0:tomcat7-webapps-0:7.0.59-51_patch_01.ep7.el7.noarch"
        },
        "product_reference": "tomcat7-webapps-0:7.0.59-51_patch_01.ep7.el7.noarch",
        "relates_to_product_reference": "7Server-JWS-3.0"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "tomcat8-0:8.0.18-62_patch_01.ep7.el7.noarch as a component of Red Hat JBoss Web Server 3.0 for RHEL 7",
          "product_id": "7Server-JWS-3.0:tomcat8-0:8.0.18-62_patch_01.ep7.el7.noarch"
        },
        "product_reference": "tomcat8-0:8.0.18-62_patch_01.ep7.el7.noarch",
        "relates_to_product_reference": "7Server-JWS-3.0"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "tomcat8-0:8.0.18-62_patch_01.ep7.el7.src as a component of Red Hat JBoss Web Server 3.0 for RHEL 7",
          "product_id": "7Server-JWS-3.0:tomcat8-0:8.0.18-62_patch_01.ep7.el7.src"
        },
        "product_reference": "tomcat8-0:8.0.18-62_patch_01.ep7.el7.src",
        "relates_to_product_reference": "7Server-JWS-3.0"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "tomcat8-admin-webapps-0:8.0.18-62_patch_01.ep7.el7.noarch as a component of Red Hat JBoss Web Server 3.0 for RHEL 7",
          "product_id": "7Server-JWS-3.0:tomcat8-admin-webapps-0:8.0.18-62_patch_01.ep7.el7.noarch"
        },
        "product_reference": "tomcat8-admin-webapps-0:8.0.18-62_patch_01.ep7.el7.noarch",
        "relates_to_product_reference": "7Server-JWS-3.0"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "tomcat8-docs-webapp-0:8.0.18-62_patch_01.ep7.el7.noarch as a component of Red Hat JBoss Web Server 3.0 for RHEL 7",
          "product_id": "7Server-JWS-3.0:tomcat8-docs-webapp-0:8.0.18-62_patch_01.ep7.el7.noarch"
        },
        "product_reference": "tomcat8-docs-webapp-0:8.0.18-62_patch_01.ep7.el7.noarch",
        "relates_to_product_reference": "7Server-JWS-3.0"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "tomcat8-el-2.2-api-0:8.0.18-62_patch_01.ep7.el7.noarch as a component of Red Hat JBoss Web Server 3.0 for RHEL 7",
          "product_id": "7Server-JWS-3.0:tomcat8-el-2.2-api-0:8.0.18-62_patch_01.ep7.el7.noarch"
        },
        "product_reference": "tomcat8-el-2.2-api-0:8.0.18-62_patch_01.ep7.el7.noarch",
        "relates_to_product_reference": "7Server-JWS-3.0"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "tomcat8-javadoc-0:8.0.18-62_patch_01.ep7.el7.noarch as a component of Red Hat JBoss Web Server 3.0 for RHEL 7",
          "product_id": "7Server-JWS-3.0:tomcat8-javadoc-0:8.0.18-62_patch_01.ep7.el7.noarch"
        },
        "product_reference": "tomcat8-javadoc-0:8.0.18-62_patch_01.ep7.el7.noarch",
        "relates_to_product_reference": "7Server-JWS-3.0"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "tomcat8-jsp-2.3-api-0:8.0.18-62_patch_01.ep7.el7.noarch as a component of Red Hat JBoss Web Server 3.0 for RHEL 7",
          "product_id": "7Server-JWS-3.0:tomcat8-jsp-2.3-api-0:8.0.18-62_patch_01.ep7.el7.noarch"
        },
        "product_reference": "tomcat8-jsp-2.3-api-0:8.0.18-62_patch_01.ep7.el7.noarch",
        "relates_to_product_reference": "7Server-JWS-3.0"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "tomcat8-lib-0:8.0.18-62_patch_01.ep7.el7.noarch as a component of Red Hat JBoss Web Server 3.0 for RHEL 7",
          "product_id": "7Server-JWS-3.0:tomcat8-lib-0:8.0.18-62_patch_01.ep7.el7.noarch"
        },
        "product_reference": "tomcat8-lib-0:8.0.18-62_patch_01.ep7.el7.noarch",
        "relates_to_product_reference": "7Server-JWS-3.0"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "tomcat8-log4j-0:8.0.18-62_patch_01.ep7.el7.noarch as a component of Red Hat JBoss Web Server 3.0 for RHEL 7",
          "product_id": "7Server-JWS-3.0:tomcat8-log4j-0:8.0.18-62_patch_01.ep7.el7.noarch"
        },
        "product_reference": "tomcat8-log4j-0:8.0.18-62_patch_01.ep7.el7.noarch",
        "relates_to_product_reference": "7Server-JWS-3.0"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "tomcat8-servlet-3.1-api-0:8.0.18-62_patch_01.ep7.el7.noarch as a component of Red Hat JBoss Web Server 3.0 for RHEL 7",
          "product_id": "7Server-JWS-3.0:tomcat8-servlet-3.1-api-0:8.0.18-62_patch_01.ep7.el7.noarch"
        },
        "product_reference": "tomcat8-servlet-3.1-api-0:8.0.18-62_patch_01.ep7.el7.noarch",
        "relates_to_product_reference": "7Server-JWS-3.0"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "tomcat8-webapps-0:8.0.18-62_patch_01.ep7.el7.noarch as a component of Red Hat JBoss Web Server 3.0 for RHEL 7",
          "product_id": "7Server-JWS-3.0:tomcat8-webapps-0:8.0.18-62_patch_01.ep7.el7.noarch"
        },
        "product_reference": "tomcat8-webapps-0:8.0.18-62_patch_01.ep7.el7.noarch",
        "relates_to_product_reference": "7Server-JWS-3.0"
      }
    ]
  },
  "vulnerabilities": [
    {
      "acknowledgments": [
        {
          "names": [
            "Scott Geary"
          ],
          "organization": "VendHQ"
        }
      ],
      "cve": "CVE-2016-5387",
      "cwe": {
        "id": "CWE-20",
        "name": "Improper Input Validation"
      },
      "discovery_date": "2016-07-04T00:00:00+00:00",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "1353755"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "It was discovered that httpd used the value of the Proxy header from HTTP requests to initialize the HTTP_PROXY environment variable for CGI scripts, which in turn was incorrectly used by certain HTTP client implementations to configure the proxy for outgoing HTTP requests. A remote attacker could possibly use this flaw to redirect HTTP requests performed by a CGI script to an attacker-controlled proxy via a malicious HTTP request.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "HTTPD: sets environmental variable based on user supplied Proxy request header",
          "title": "Vulnerability summary"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "7Server-JWS-3.0:httpd24-0:2.4.6-62.ep7.el7.src",
          "7Server-JWS-3.0:httpd24-0:2.4.6-62.ep7.el7.x86_64",
          "7Server-JWS-3.0:httpd24-debuginfo-0:2.4.6-62.ep7.el7.x86_64",
          "7Server-JWS-3.0:httpd24-devel-0:2.4.6-62.ep7.el7.x86_64",
          "7Server-JWS-3.0:httpd24-manual-0:2.4.6-62.ep7.el7.noarch",
          "7Server-JWS-3.0:httpd24-tools-0:2.4.6-62.ep7.el7.x86_64",
          "7Server-JWS-3.0:mod_ldap24-0:2.4.6-62.ep7.el7.x86_64",
          "7Server-JWS-3.0:mod_proxy24_html-1:2.4.6-62.ep7.el7.x86_64",
          "7Server-JWS-3.0:mod_session24-0:2.4.6-62.ep7.el7.x86_64",
          "7Server-JWS-3.0:mod_ssl24-1:2.4.6-62.ep7.el7.x86_64",
          "7Server-JWS-3.0:tomcat7-0:7.0.59-51_patch_01.ep7.el7.noarch",
          "7Server-JWS-3.0:tomcat7-0:7.0.59-51_patch_01.ep7.el7.src",
          "7Server-JWS-3.0:tomcat7-admin-webapps-0:7.0.59-51_patch_01.ep7.el7.noarch",
          "7Server-JWS-3.0:tomcat7-docs-webapp-0:7.0.59-51_patch_01.ep7.el7.noarch",
          "7Server-JWS-3.0:tomcat7-el-2.2-api-0:7.0.59-51_patch_01.ep7.el7.noarch",
          "7Server-JWS-3.0:tomcat7-javadoc-0:7.0.59-51_patch_01.ep7.el7.noarch",
          "7Server-JWS-3.0:tomcat7-jsp-2.2-api-0:7.0.59-51_patch_01.ep7.el7.noarch",
          "7Server-JWS-3.0:tomcat7-lib-0:7.0.59-51_patch_01.ep7.el7.noarch",
          "7Server-JWS-3.0:tomcat7-log4j-0:7.0.59-51_patch_01.ep7.el7.noarch",
          "7Server-JWS-3.0:tomcat7-servlet-3.0-api-0:7.0.59-51_patch_01.ep7.el7.noarch",
          "7Server-JWS-3.0:tomcat7-webapps-0:7.0.59-51_patch_01.ep7.el7.noarch",
          "7Server-JWS-3.0:tomcat8-0:8.0.18-62_patch_01.ep7.el7.noarch",
          "7Server-JWS-3.0:tomcat8-0:8.0.18-62_patch_01.ep7.el7.src",
          "7Server-JWS-3.0:tomcat8-admin-webapps-0:8.0.18-62_patch_01.ep7.el7.noarch",
          "7Server-JWS-3.0:tomcat8-docs-webapp-0:8.0.18-62_patch_01.ep7.el7.noarch",
          "7Server-JWS-3.0:tomcat8-el-2.2-api-0:8.0.18-62_patch_01.ep7.el7.noarch",
          "7Server-JWS-3.0:tomcat8-javadoc-0:8.0.18-62_patch_01.ep7.el7.noarch",
          "7Server-JWS-3.0:tomcat8-jsp-2.3-api-0:8.0.18-62_patch_01.ep7.el7.noarch",
          "7Server-JWS-3.0:tomcat8-lib-0:8.0.18-62_patch_01.ep7.el7.noarch",
          "7Server-JWS-3.0:tomcat8-log4j-0:8.0.18-62_patch_01.ep7.el7.noarch",
          "7Server-JWS-3.0:tomcat8-servlet-3.1-api-0:8.0.18-62_patch_01.ep7.el7.noarch",
          "7Server-JWS-3.0:tomcat8-webapps-0:8.0.18-62_patch_01.ep7.el7.noarch"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2016-5387"
        },
        {
          "category": "external",
          "summary": "RHBZ#1353755",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1353755"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2016-5387",
          "url": "https://www.cve.org/CVERecord?id=CVE-2016-5387"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2016-5387",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2016-5387"
        },
        {
          "category": "external",
          "summary": "https://access.redhat.com/security/vulnerabilities/httpoxy",
          "url": "https://access.redhat.com/security/vulnerabilities/httpoxy"
        },
        {
          "category": "external",
          "summary": "https://httpoxy.org/",
          "url": "https://httpoxy.org/"
        },
        {
          "category": "external",
          "summary": "https://www.apache.org/security/asf-httpoxy-response.txt",
          "url": "https://www.apache.org/security/asf-httpoxy-response.txt"
        }
      ],
      "release_date": "2016-07-18T00:00:00+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2016-08-18T18:20:54+00:00",
          "details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258\n\nAfter installing the updated packages, the httpd daemon will be restarted automatically.\n\nAfter installing the updated packages, follow the instructions in this\nknowledgebase article to configure Tomcat:\n\nhttps://access.redhat.com/solutions/2435491",
          "product_ids": [
            "7Server-JWS-3.0:httpd24-0:2.4.6-62.ep7.el7.src",
            "7Server-JWS-3.0:httpd24-0:2.4.6-62.ep7.el7.x86_64",
            "7Server-JWS-3.0:httpd24-debuginfo-0:2.4.6-62.ep7.el7.x86_64",
            "7Server-JWS-3.0:httpd24-devel-0:2.4.6-62.ep7.el7.x86_64",
            "7Server-JWS-3.0:httpd24-manual-0:2.4.6-62.ep7.el7.noarch",
            "7Server-JWS-3.0:httpd24-tools-0:2.4.6-62.ep7.el7.x86_64",
            "7Server-JWS-3.0:mod_ldap24-0:2.4.6-62.ep7.el7.x86_64",
            "7Server-JWS-3.0:mod_proxy24_html-1:2.4.6-62.ep7.el7.x86_64",
            "7Server-JWS-3.0:mod_session24-0:2.4.6-62.ep7.el7.x86_64",
            "7Server-JWS-3.0:mod_ssl24-1:2.4.6-62.ep7.el7.x86_64",
            "7Server-JWS-3.0:tomcat7-0:7.0.59-51_patch_01.ep7.el7.noarch",
            "7Server-JWS-3.0:tomcat7-0:7.0.59-51_patch_01.ep7.el7.src",
            "7Server-JWS-3.0:tomcat7-admin-webapps-0:7.0.59-51_patch_01.ep7.el7.noarch",
            "7Server-JWS-3.0:tomcat7-docs-webapp-0:7.0.59-51_patch_01.ep7.el7.noarch",
            "7Server-JWS-3.0:tomcat7-el-2.2-api-0:7.0.59-51_patch_01.ep7.el7.noarch",
            "7Server-JWS-3.0:tomcat7-javadoc-0:7.0.59-51_patch_01.ep7.el7.noarch",
            "7Server-JWS-3.0:tomcat7-jsp-2.2-api-0:7.0.59-51_patch_01.ep7.el7.noarch",
            "7Server-JWS-3.0:tomcat7-lib-0:7.0.59-51_patch_01.ep7.el7.noarch",
            "7Server-JWS-3.0:tomcat7-log4j-0:7.0.59-51_patch_01.ep7.el7.noarch",
            "7Server-JWS-3.0:tomcat7-servlet-3.0-api-0:7.0.59-51_patch_01.ep7.el7.noarch",
            "7Server-JWS-3.0:tomcat7-webapps-0:7.0.59-51_patch_01.ep7.el7.noarch",
            "7Server-JWS-3.0:tomcat8-0:8.0.18-62_patch_01.ep7.el7.noarch",
            "7Server-JWS-3.0:tomcat8-0:8.0.18-62_patch_01.ep7.el7.src",
            "7Server-JWS-3.0:tomcat8-admin-webapps-0:8.0.18-62_patch_01.ep7.el7.noarch",
            "7Server-JWS-3.0:tomcat8-docs-webapp-0:8.0.18-62_patch_01.ep7.el7.noarch",
            "7Server-JWS-3.0:tomcat8-el-2.2-api-0:8.0.18-62_patch_01.ep7.el7.noarch",
            "7Server-JWS-3.0:tomcat8-javadoc-0:8.0.18-62_patch_01.ep7.el7.noarch",
            "7Server-JWS-3.0:tomcat8-jsp-2.3-api-0:8.0.18-62_patch_01.ep7.el7.noarch",
            "7Server-JWS-3.0:tomcat8-lib-0:8.0.18-62_patch_01.ep7.el7.noarch",
            "7Server-JWS-3.0:tomcat8-log4j-0:8.0.18-62_patch_01.ep7.el7.noarch",
            "7Server-JWS-3.0:tomcat8-servlet-3.1-api-0:8.0.18-62_patch_01.ep7.el7.noarch",
            "7Server-JWS-3.0:tomcat8-webapps-0:8.0.18-62_patch_01.ep7.el7.noarch"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2016:1635"
        }
      ],
      "scores": [
        {
          "cvss_v2": {
            "accessComplexity": "LOW",
            "accessVector": "NETWORK",
            "authentication": "NONE",
            "availabilityImpact": "NONE",
            "baseScore": 5.0,
            "confidentialityImpact": "NONE",
            "integrityImpact": "PARTIAL",
            "vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N",
            "version": "2.0"
          },
          "cvss_v3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 5.0,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "NONE",
            "integrityImpact": "LOW",
            "privilegesRequired": "LOW",
            "scope": "CHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:L/A:N",
            "version": "3.0"
          },
          "products": [
            "7Server-JWS-3.0:httpd24-0:2.4.6-62.ep7.el7.src",
            "7Server-JWS-3.0:httpd24-0:2.4.6-62.ep7.el7.x86_64",
            "7Server-JWS-3.0:httpd24-debuginfo-0:2.4.6-62.ep7.el7.x86_64",
            "7Server-JWS-3.0:httpd24-devel-0:2.4.6-62.ep7.el7.x86_64",
            "7Server-JWS-3.0:httpd24-manual-0:2.4.6-62.ep7.el7.noarch",
            "7Server-JWS-3.0:httpd24-tools-0:2.4.6-62.ep7.el7.x86_64",
            "7Server-JWS-3.0:mod_ldap24-0:2.4.6-62.ep7.el7.x86_64",
            "7Server-JWS-3.0:mod_proxy24_html-1:2.4.6-62.ep7.el7.x86_64",
            "7Server-JWS-3.0:mod_session24-0:2.4.6-62.ep7.el7.x86_64",
            "7Server-JWS-3.0:mod_ssl24-1:2.4.6-62.ep7.el7.x86_64",
            "7Server-JWS-3.0:tomcat7-0:7.0.59-51_patch_01.ep7.el7.noarch",
            "7Server-JWS-3.0:tomcat7-0:7.0.59-51_patch_01.ep7.el7.src",
            "7Server-JWS-3.0:tomcat7-admin-webapps-0:7.0.59-51_patch_01.ep7.el7.noarch",
            "7Server-JWS-3.0:tomcat7-docs-webapp-0:7.0.59-51_patch_01.ep7.el7.noarch",
            "7Server-JWS-3.0:tomcat7-el-2.2-api-0:7.0.59-51_patch_01.ep7.el7.noarch",
            "7Server-JWS-3.0:tomcat7-javadoc-0:7.0.59-51_patch_01.ep7.el7.noarch",
            "7Server-JWS-3.0:tomcat7-jsp-2.2-api-0:7.0.59-51_patch_01.ep7.el7.noarch",
            "7Server-JWS-3.0:tomcat7-lib-0:7.0.59-51_patch_01.ep7.el7.noarch",
            "7Server-JWS-3.0:tomcat7-log4j-0:7.0.59-51_patch_01.ep7.el7.noarch",
            "7Server-JWS-3.0:tomcat7-servlet-3.0-api-0:7.0.59-51_patch_01.ep7.el7.noarch",
            "7Server-JWS-3.0:tomcat7-webapps-0:7.0.59-51_patch_01.ep7.el7.noarch",
            "7Server-JWS-3.0:tomcat8-0:8.0.18-62_patch_01.ep7.el7.noarch",
            "7Server-JWS-3.0:tomcat8-0:8.0.18-62_patch_01.ep7.el7.src",
            "7Server-JWS-3.0:tomcat8-admin-webapps-0:8.0.18-62_patch_01.ep7.el7.noarch",
            "7Server-JWS-3.0:tomcat8-docs-webapp-0:8.0.18-62_patch_01.ep7.el7.noarch",
            "7Server-JWS-3.0:tomcat8-el-2.2-api-0:8.0.18-62_patch_01.ep7.el7.noarch",
            "7Server-JWS-3.0:tomcat8-javadoc-0:8.0.18-62_patch_01.ep7.el7.noarch",
            "7Server-JWS-3.0:tomcat8-jsp-2.3-api-0:8.0.18-62_patch_01.ep7.el7.noarch",
            "7Server-JWS-3.0:tomcat8-lib-0:8.0.18-62_patch_01.ep7.el7.noarch",
            "7Server-JWS-3.0:tomcat8-log4j-0:8.0.18-62_patch_01.ep7.el7.noarch",
            "7Server-JWS-3.0:tomcat8-servlet-3.1-api-0:8.0.18-62_patch_01.ep7.el7.noarch",
            "7Server-JWS-3.0:tomcat8-webapps-0:8.0.18-62_patch_01.ep7.el7.noarch"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Important"
        }
      ],
      "title": "HTTPD: sets environmental variable based on user supplied Proxy request header"
    },
    {
      "acknowledgments": [
        {
          "names": [
            "Scott Geary"
          ],
          "organization": "VendHQ"
        }
      ],
      "cve": "CVE-2016-5388",
      "cwe": {
        "id": "CWE-20",
        "name": "Improper Input Validation"
      },
      "discovery_date": "2016-07-04T00:00:00+00:00",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "1353809"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "It was discovered that tomcat used the value of the Proxy header from HTTP requests to initialize the HTTP_PROXY environment variable for CGI scripts, which in turn was incorrectly used by certain HTTP client implementations to configure the proxy for outgoing HTTP requests. A remote attacker could possibly use this flaw to redirect HTTP requests performed by a CGI script to an attacker-controlled proxy via a malicious HTTP request.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "Tomcat: CGI sets environmental variable based on user supplied Proxy request header",
          "title": "Vulnerability summary"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "7Server-JWS-3.0:httpd24-0:2.4.6-62.ep7.el7.src",
          "7Server-JWS-3.0:httpd24-0:2.4.6-62.ep7.el7.x86_64",
          "7Server-JWS-3.0:httpd24-debuginfo-0:2.4.6-62.ep7.el7.x86_64",
          "7Server-JWS-3.0:httpd24-devel-0:2.4.6-62.ep7.el7.x86_64",
          "7Server-JWS-3.0:httpd24-manual-0:2.4.6-62.ep7.el7.noarch",
          "7Server-JWS-3.0:httpd24-tools-0:2.4.6-62.ep7.el7.x86_64",
          "7Server-JWS-3.0:mod_ldap24-0:2.4.6-62.ep7.el7.x86_64",
          "7Server-JWS-3.0:mod_proxy24_html-1:2.4.6-62.ep7.el7.x86_64",
          "7Server-JWS-3.0:mod_session24-0:2.4.6-62.ep7.el7.x86_64",
          "7Server-JWS-3.0:mod_ssl24-1:2.4.6-62.ep7.el7.x86_64",
          "7Server-JWS-3.0:tomcat7-0:7.0.59-51_patch_01.ep7.el7.noarch",
          "7Server-JWS-3.0:tomcat7-0:7.0.59-51_patch_01.ep7.el7.src",
          "7Server-JWS-3.0:tomcat7-admin-webapps-0:7.0.59-51_patch_01.ep7.el7.noarch",
          "7Server-JWS-3.0:tomcat7-docs-webapp-0:7.0.59-51_patch_01.ep7.el7.noarch",
          "7Server-JWS-3.0:tomcat7-el-2.2-api-0:7.0.59-51_patch_01.ep7.el7.noarch",
          "7Server-JWS-3.0:tomcat7-javadoc-0:7.0.59-51_patch_01.ep7.el7.noarch",
          "7Server-JWS-3.0:tomcat7-jsp-2.2-api-0:7.0.59-51_patch_01.ep7.el7.noarch",
          "7Server-JWS-3.0:tomcat7-lib-0:7.0.59-51_patch_01.ep7.el7.noarch",
          "7Server-JWS-3.0:tomcat7-log4j-0:7.0.59-51_patch_01.ep7.el7.noarch",
          "7Server-JWS-3.0:tomcat7-servlet-3.0-api-0:7.0.59-51_patch_01.ep7.el7.noarch",
          "7Server-JWS-3.0:tomcat7-webapps-0:7.0.59-51_patch_01.ep7.el7.noarch",
          "7Server-JWS-3.0:tomcat8-0:8.0.18-62_patch_01.ep7.el7.noarch",
          "7Server-JWS-3.0:tomcat8-0:8.0.18-62_patch_01.ep7.el7.src",
          "7Server-JWS-3.0:tomcat8-admin-webapps-0:8.0.18-62_patch_01.ep7.el7.noarch",
          "7Server-JWS-3.0:tomcat8-docs-webapp-0:8.0.18-62_patch_01.ep7.el7.noarch",
          "7Server-JWS-3.0:tomcat8-el-2.2-api-0:8.0.18-62_patch_01.ep7.el7.noarch",
          "7Server-JWS-3.0:tomcat8-javadoc-0:8.0.18-62_patch_01.ep7.el7.noarch",
          "7Server-JWS-3.0:tomcat8-jsp-2.3-api-0:8.0.18-62_patch_01.ep7.el7.noarch",
          "7Server-JWS-3.0:tomcat8-lib-0:8.0.18-62_patch_01.ep7.el7.noarch",
          "7Server-JWS-3.0:tomcat8-log4j-0:8.0.18-62_patch_01.ep7.el7.noarch",
          "7Server-JWS-3.0:tomcat8-servlet-3.1-api-0:8.0.18-62_patch_01.ep7.el7.noarch",
          "7Server-JWS-3.0:tomcat8-webapps-0:8.0.18-62_patch_01.ep7.el7.noarch"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2016-5388"
        },
        {
          "category": "external",
          "summary": "RHBZ#1353809",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1353809"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2016-5388",
          "url": "https://www.cve.org/CVERecord?id=CVE-2016-5388"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2016-5388",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2016-5388"
        }
      ],
      "release_date": "2016-07-18T00:00:00+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2016-08-18T18:20:54+00:00",
          "details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258\n\nAfter installing the updated packages, the httpd daemon will be restarted automatically.\n\nAfter installing the updated packages, follow the instructions in this\nknowledgebase article to configure Tomcat:\n\nhttps://access.redhat.com/solutions/2435491",
          "product_ids": [
            "7Server-JWS-3.0:httpd24-0:2.4.6-62.ep7.el7.src",
            "7Server-JWS-3.0:httpd24-0:2.4.6-62.ep7.el7.x86_64",
            "7Server-JWS-3.0:httpd24-debuginfo-0:2.4.6-62.ep7.el7.x86_64",
            "7Server-JWS-3.0:httpd24-devel-0:2.4.6-62.ep7.el7.x86_64",
            "7Server-JWS-3.0:httpd24-manual-0:2.4.6-62.ep7.el7.noarch",
            "7Server-JWS-3.0:httpd24-tools-0:2.4.6-62.ep7.el7.x86_64",
            "7Server-JWS-3.0:mod_ldap24-0:2.4.6-62.ep7.el7.x86_64",
            "7Server-JWS-3.0:mod_proxy24_html-1:2.4.6-62.ep7.el7.x86_64",
            "7Server-JWS-3.0:mod_session24-0:2.4.6-62.ep7.el7.x86_64",
            "7Server-JWS-3.0:mod_ssl24-1:2.4.6-62.ep7.el7.x86_64",
            "7Server-JWS-3.0:tomcat7-0:7.0.59-51_patch_01.ep7.el7.noarch",
            "7Server-JWS-3.0:tomcat7-0:7.0.59-51_patch_01.ep7.el7.src",
            "7Server-JWS-3.0:tomcat7-admin-webapps-0:7.0.59-51_patch_01.ep7.el7.noarch",
            "7Server-JWS-3.0:tomcat7-docs-webapp-0:7.0.59-51_patch_01.ep7.el7.noarch",
            "7Server-JWS-3.0:tomcat7-el-2.2-api-0:7.0.59-51_patch_01.ep7.el7.noarch",
            "7Server-JWS-3.0:tomcat7-javadoc-0:7.0.59-51_patch_01.ep7.el7.noarch",
            "7Server-JWS-3.0:tomcat7-jsp-2.2-api-0:7.0.59-51_patch_01.ep7.el7.noarch",
            "7Server-JWS-3.0:tomcat7-lib-0:7.0.59-51_patch_01.ep7.el7.noarch",
            "7Server-JWS-3.0:tomcat7-log4j-0:7.0.59-51_patch_01.ep7.el7.noarch",
            "7Server-JWS-3.0:tomcat7-servlet-3.0-api-0:7.0.59-51_patch_01.ep7.el7.noarch",
            "7Server-JWS-3.0:tomcat7-webapps-0:7.0.59-51_patch_01.ep7.el7.noarch",
            "7Server-JWS-3.0:tomcat8-0:8.0.18-62_patch_01.ep7.el7.noarch",
            "7Server-JWS-3.0:tomcat8-0:8.0.18-62_patch_01.ep7.el7.src",
            "7Server-JWS-3.0:tomcat8-admin-webapps-0:8.0.18-62_patch_01.ep7.el7.noarch",
            "7Server-JWS-3.0:tomcat8-docs-webapp-0:8.0.18-62_patch_01.ep7.el7.noarch",
            "7Server-JWS-3.0:tomcat8-el-2.2-api-0:8.0.18-62_patch_01.ep7.el7.noarch",
            "7Server-JWS-3.0:tomcat8-javadoc-0:8.0.18-62_patch_01.ep7.el7.noarch",
            "7Server-JWS-3.0:tomcat8-jsp-2.3-api-0:8.0.18-62_patch_01.ep7.el7.noarch",
            "7Server-JWS-3.0:tomcat8-lib-0:8.0.18-62_patch_01.ep7.el7.noarch",
            "7Server-JWS-3.0:tomcat8-log4j-0:8.0.18-62_patch_01.ep7.el7.noarch",
            "7Server-JWS-3.0:tomcat8-servlet-3.1-api-0:8.0.18-62_patch_01.ep7.el7.noarch",
            "7Server-JWS-3.0:tomcat8-webapps-0:8.0.18-62_patch_01.ep7.el7.noarch"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2016:1635"
        }
      ],
      "scores": [
        {
          "cvss_v2": {
            "accessComplexity": "HIGH",
            "accessVector": "NETWORK",
            "authentication": "NONE",
            "availabilityImpact": "NONE",
            "baseScore": 2.6,
            "confidentialityImpact": "NONE",
            "integrityImpact": "PARTIAL",
            "vectorString": "AV:N/AC:H/Au:N/C:N/I:P/A:N",
            "version": "2.0"
          },
          "cvss_v3": {
            "attackComplexity": "HIGH",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 3.5,
            "baseSeverity": "LOW",
            "confidentialityImpact": "NONE",
            "integrityImpact": "LOW",
            "privilegesRequired": "LOW",
            "scope": "CHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:C/C:N/I:L/A:N",
            "version": "3.0"
          },
          "products": [
            "7Server-JWS-3.0:httpd24-0:2.4.6-62.ep7.el7.src",
            "7Server-JWS-3.0:httpd24-0:2.4.6-62.ep7.el7.x86_64",
            "7Server-JWS-3.0:httpd24-debuginfo-0:2.4.6-62.ep7.el7.x86_64",
            "7Server-JWS-3.0:httpd24-devel-0:2.4.6-62.ep7.el7.x86_64",
            "7Server-JWS-3.0:httpd24-manual-0:2.4.6-62.ep7.el7.noarch",
            "7Server-JWS-3.0:httpd24-tools-0:2.4.6-62.ep7.el7.x86_64",
            "7Server-JWS-3.0:mod_ldap24-0:2.4.6-62.ep7.el7.x86_64",
            "7Server-JWS-3.0:mod_proxy24_html-1:2.4.6-62.ep7.el7.x86_64",
            "7Server-JWS-3.0:mod_session24-0:2.4.6-62.ep7.el7.x86_64",
            "7Server-JWS-3.0:mod_ssl24-1:2.4.6-62.ep7.el7.x86_64",
            "7Server-JWS-3.0:tomcat7-0:7.0.59-51_patch_01.ep7.el7.noarch",
            "7Server-JWS-3.0:tomcat7-0:7.0.59-51_patch_01.ep7.el7.src",
            "7Server-JWS-3.0:tomcat7-admin-webapps-0:7.0.59-51_patch_01.ep7.el7.noarch",
            "7Server-JWS-3.0:tomcat7-docs-webapp-0:7.0.59-51_patch_01.ep7.el7.noarch",
            "7Server-JWS-3.0:tomcat7-el-2.2-api-0:7.0.59-51_patch_01.ep7.el7.noarch",
            "7Server-JWS-3.0:tomcat7-javadoc-0:7.0.59-51_patch_01.ep7.el7.noarch",
            "7Server-JWS-3.0:tomcat7-jsp-2.2-api-0:7.0.59-51_patch_01.ep7.el7.noarch",
            "7Server-JWS-3.0:tomcat7-lib-0:7.0.59-51_patch_01.ep7.el7.noarch",
            "7Server-JWS-3.0:tomcat7-log4j-0:7.0.59-51_patch_01.ep7.el7.noarch",
            "7Server-JWS-3.0:tomcat7-servlet-3.0-api-0:7.0.59-51_patch_01.ep7.el7.noarch",
            "7Server-JWS-3.0:tomcat7-webapps-0:7.0.59-51_patch_01.ep7.el7.noarch",
            "7Server-JWS-3.0:tomcat8-0:8.0.18-62_patch_01.ep7.el7.noarch",
            "7Server-JWS-3.0:tomcat8-0:8.0.18-62_patch_01.ep7.el7.src",
            "7Server-JWS-3.0:tomcat8-admin-webapps-0:8.0.18-62_patch_01.ep7.el7.noarch",
            "7Server-JWS-3.0:tomcat8-docs-webapp-0:8.0.18-62_patch_01.ep7.el7.noarch",
            "7Server-JWS-3.0:tomcat8-el-2.2-api-0:8.0.18-62_patch_01.ep7.el7.noarch",
            "7Server-JWS-3.0:tomcat8-javadoc-0:8.0.18-62_patch_01.ep7.el7.noarch",
            "7Server-JWS-3.0:tomcat8-jsp-2.3-api-0:8.0.18-62_patch_01.ep7.el7.noarch",
            "7Server-JWS-3.0:tomcat8-lib-0:8.0.18-62_patch_01.ep7.el7.noarch",
            "7Server-JWS-3.0:tomcat8-log4j-0:8.0.18-62_patch_01.ep7.el7.noarch",
            "7Server-JWS-3.0:tomcat8-servlet-3.1-api-0:8.0.18-62_patch_01.ep7.el7.noarch",
            "7Server-JWS-3.0:tomcat8-webapps-0:8.0.18-62_patch_01.ep7.el7.noarch"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Moderate"
        }
      ],
      "title": "Tomcat: CGI sets environmental variable based on user supplied Proxy request header"
    }
  ]
}

CVE-2016-5387 (GCVE-0-2016-5387)

Vulnerability from cvelistv5 – Published: 2016-07-19 01:00 – Updated: 2024-08-06 01:00

Summary

The Apache HTTP Server through 2.4.23 follows RFC 3875 section 4.1.18 and therefore does not protect applications from the presence of untrusted client data in the HTTP_PROXY environment variable, which might allow remote attackers to redirect an application's outbound HTTP traffic to an arbitrary proxy server via a crafted Proxy header in an HTTP request, aka an "httpoxy" issue. NOTE: the vendor states "This mitigation has been assigned the identifier CVE-2016-5387"; in other words, this is not a CVE ID for a vulnerability.

Severity ?

No CVSS data available.

CWE

Assigner

redhat

References

URL

Tags

	http://www.securitytracker.com/id/1036330	vdb-entryx_refsource_SECTRACK
	https://access.redhat.com/errata/RHSA-2016:1420	vendor-advisoryx_refsource_REDHAT
	https://access.redhat.com/errata/RHSA-2016:1635	vendor-advisoryx_refsource_REDHAT
	https://support.apple.com/HT208221	x_refsource_CONFIRM
	https://h20566.www2.hpe.com/portal/site/hpsc/publ…	x_refsource_CONFIRM
	http://www.securityfocus.com/bid/91816	vdb-entryx_refsource_BID
	https://access.redhat.com/errata/RHSA-2016:1851	vendor-advisoryx_refsource_REDHAT
	http://www.ubuntu.com/usn/USN-3038-1	vendor-advisoryx_refsource_UBUNTU
	http://www.kb.cert.org/vuls/id/797896	third-party-advisoryx_refsource_CERT-VN
	http://www.oracle.com/technetwork/security-adviso…	x_refsource_CONFIRM
	http://lists.opensuse.org/opensuse-updates/2016-0…	vendor-advisoryx_refsource_SUSE
	http://www.oracle.com/technetwork/topics/security…	x_refsource_CONFIRM
	http://rhn.redhat.com/errata/RHSA-2016-1648.html	vendor-advisoryx_refsource_REDHAT
	https://www.tenable.com/security/tns-2017-04	x_refsource_CONFIRM
	http://rhn.redhat.com/errata/RHSA-2016-1625.html	vendor-advisoryx_refsource_REDHAT
	http://www.debian.org/security/2016/dsa-3623	vendor-advisoryx_refsource_DEBIAN
	http://rhn.redhat.com/errata/RHSA-2016-1649.html	vendor-advisoryx_refsource_REDHAT
	https://h20566.www2.hpe.com/portal/site/hpsc/publ…	x_refsource_CONFIRM
	https://h20566.www2.hpe.com/hpsc/doc/public/displ…	x_refsource_CONFIRM
	https://access.redhat.com/errata/RHSA-2016:1422	vendor-advisoryx_refsource_REDHAT
	http://www.oracle.com/technetwork/topics/security…	x_refsource_CONFIRM
	https://access.redhat.com/errata/RHSA-2016:1421	vendor-advisoryx_refsource_REDHAT
	https://lists.fedoraproject.org/archives/list/pac…	vendor-advisoryx_refsource_FEDORA
	http://rhn.redhat.com/errata/RHSA-2016-1650.html	vendor-advisoryx_refsource_REDHAT
	http://rhn.redhat.com/errata/RHSA-2016-1624.html	vendor-advisoryx_refsource_REDHAT
	https://www.apache.org/security/asf-httpoxy-respo…	x_refsource_CONFIRM
	https://lists.fedoraproject.org/archives/list/pac…	vendor-advisoryx_refsource_FEDORA
	https://httpoxy.org/	x_refsource_MISC
	http://www.oracle.com/technetwork/security-adviso…	x_refsource_CONFIRM
	https://security.gentoo.org/glsa/201701-36	vendor-advisoryx_refsource_GENTOO
	https://access.redhat.com/errata/RHSA-2016:1636	vendor-advisoryx_refsource_REDHAT
	https://lists.fedoraproject.org/archives/list/pac…	vendor-advisoryx_refsource_FEDORA
	https://lists.fedoraproject.org/archives/list/pac…	vendor-advisoryx_refsource_FEDORA
	https://lists.apache.org/thread.html/56c2e7cc9deb…	mailing-listx_refsource_MLIST
	https://lists.apache.org/thread.html/84a3714f0878…	mailing-listx_refsource_MLIST
	https://lists.apache.org/thread.html/8d63cb8e9100…	mailing-listx_refsource_MLIST
	https://lists.apache.org/thread.html/f7f95ac1cd98…	mailing-listx_refsource_MLIST
	https://lists.apache.org/thread.html/r57608dc51b7…	mailing-listx_refsource_MLIST
	https://lists.apache.org/thread.html/rd18c3c43602…	mailing-listx_refsource_MLIST
	https://lists.apache.org/thread.html/re3d27b6250a…	mailing-listx_refsource_MLIST
	https://lists.apache.org/thread.html/rfbaf647d52c…	mailing-listx_refsource_MLIST
	https://lists.apache.org/thread.html/rf6449464fd8…	mailing-listx_refsource_MLIST
	https://lists.apache.org/thread.html/r9ea3538f229…	mailing-listx_refsource_MLIST
	https://lists.apache.org/thread.html/rc998b18880d…	mailing-listx_refsource_MLIST
	https://lists.apache.org/thread.html/re1e3a24664d…	mailing-listx_refsource_MLIST
	https://lists.apache.org/thread.html/r04e89e873d5…	mailing-listx_refsource_MLIST
	https://lists.apache.org/thread.html/rdca61ae9906…	mailing-listx_refsource_MLIST
	https://lists.apache.org/thread.html/r9f93cf6dde3…	mailing-listx_refsource_MLIST
	https://lists.apache.org/thread.html/rcc44594d4d6…	mailing-listx_refsource_MLIST
	https://lists.apache.org/thread.html/rb14daf9cc4e…	mailing-listx_refsource_MLIST
	https://lists.apache.org/thread.html/rad01d817195…	mailing-listx_refsource_MLIST
	https://lists.apache.org/thread.html/rd336919f655…	mailing-listx_refsource_MLIST
	https://lists.apache.org/thread.html/r476d175be0a…	mailing-listx_refsource_MLIST
	https://lists.apache.org/thread.html/r75cbe9ea3e2…	mailing-listx_refsource_MLIST

Date Public ?

2016-07-18 00:00

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-06T01:00:59.995Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "name": "1036330",
            "tags": [
              "vdb-entry",
              "x_refsource_SECTRACK",
              "x_transferred"
            ],
            "url": "http://www.securitytracker.com/id/1036330"
          },
          {
            "name": "RHSA-2016:1420",
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2016:1420"
          },
          {
            "name": "RHSA-2016:1635",
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2016:1635"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://support.apple.com/HT208221"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05320149"
          },
          {
            "name": "91816",
            "tags": [
              "vdb-entry",
              "x_refsource_BID",
              "x_transferred"
            ],
            "url": "http://www.securityfocus.com/bid/91816"
          },
          {
            "name": "RHSA-2016:1851",
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2016:1851"
          },
          {
            "name": "USN-3038-1",
            "tags": [
              "vendor-advisory",
              "x_refsource_UBUNTU",
              "x_transferred"
            ],
            "url": "http://www.ubuntu.com/usn/USN-3038-1"
          },
          {
            "name": "VU#797896",
            "tags": [
              "third-party-advisory",
              "x_refsource_CERT-VN",
              "x_transferred"
            ],
            "url": "http://www.kb.cert.org/vuls/id/797896"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "http://www.oracle.com/technetwork/security-advisory/cpujan2018-3236628.html"
          },
          {
            "name": "openSUSE-SU-2016:1824",
            "tags": [
              "vendor-advisory",
              "x_refsource_SUSE",
              "x_transferred"
            ],
            "url": "http://lists.opensuse.org/opensuse-updates/2016-07/msg00059.html"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "http://www.oracle.com/technetwork/topics/security/linuxbulletinjul2016-3090544.html"
          },
          {
            "name": "RHSA-2016:1648",
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "http://rhn.redhat.com/errata/RHSA-2016-1648.html"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://www.tenable.com/security/tns-2017-04"
          },
          {
            "name": "RHSA-2016:1625",
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "http://rhn.redhat.com/errata/RHSA-2016-1625.html"
          },
          {
            "name": "DSA-3623",
            "tags": [
              "vendor-advisory",
              "x_refsource_DEBIAN",
              "x_transferred"
            ],
            "url": "http://www.debian.org/security/2016/dsa-3623"
          },
          {
            "name": "RHSA-2016:1649",
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "http://rhn.redhat.com/errata/RHSA-2016-1649.html"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05390722"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://h20566.www2.hpe.com/hpsc/doc/public/display?docLocale=en_US\u0026docId=emr_na-hpesbhf03770en_us"
          },
          {
            "name": "RHSA-2016:1422",
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2016:1422"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "http://www.oracle.com/technetwork/topics/security/bulletinoct2016-3090566.html"
          },
          {
            "name": "RHSA-2016:1421",
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2016:1421"
          },
          {
            "name": "FEDORA-2016-a29c65b00f",
            "tags": [
              "vendor-advisory",
              "x_refsource_FEDORA",
              "x_transferred"
            ],
            "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6WCTE7443AYZ4EGELWLVNANA2WJCJIYI/"
          },
          {
            "name": "RHSA-2016:1650",
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "http://rhn.redhat.com/errata/RHSA-2016-1650.html"
          },
          {
            "name": "RHSA-2016:1624",
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "http://rhn.redhat.com/errata/RHSA-2016-1624.html"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://www.apache.org/security/asf-httpoxy-response.txt"
          },
          {
            "name": "FEDORA-2016-df0726ae26",
            "tags": [
              "vendor-advisory",
              "x_refsource_FEDORA",
              "x_transferred"
            ],
            "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/TGNHXJJSWDXAOEYH5TMXDPQVJMQQJOAZ/"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://httpoxy.org/"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "http://www.oracle.com/technetwork/security-advisory/cpujul2017-3236622.html"
          },
          {
            "name": "GLSA-201701-36",
            "tags": [
              "vendor-advisory",
              "x_refsource_GENTOO",
              "x_transferred"
            ],
            "url": "https://security.gentoo.org/glsa/201701-36"
          },
          {
            "name": "RHSA-2016:1636",
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2016:1636"
          },
          {
            "name": "FEDORA-2016-9fd9bfab9e",
            "tags": [
              "vendor-advisory",
              "x_refsource_FEDORA",
              "x_transferred"
            ],
            "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/NEKZAB7MTWVSMORHTEMCQNFFMIHCYF76/"
          },
          {
            "name": "FEDORA-2016-683d0b257b",
            "tags": [
              "vendor-advisory",
              "x_refsource_FEDORA",
              "x_transferred"
            ],
            "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QPQAPWQA774JPDRV4UIB2SZAX6D3UZCV/"
          },
          {
            "name": "[httpd-cvs] 20190815 svn commit: r1048743 [4/4] - in /websites/staging/httpd/trunk/content: ./ security/vulnerabilities-httpd.xml security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_22.html security/vulnerabilities_24.html",
            "tags": [
              "mailing-list",
              "x_refsource_MLIST",
              "x_transferred"
            ],
            "url": "https://lists.apache.org/thread.html/56c2e7cc9deb1c12a843d0dc251ea7fd3e7e80293cde02fcd65286ba%40%3Ccvs.httpd.apache.org%3E"
          },
          {
            "name": "[httpd-cvs] 20190815 svn commit: r1048742 [4/4] - in /websites/staging/httpd/trunk/content: ./ security/vulnerabilities-httpd.xml security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_22.html security/vulnerabilities_24.html",
            "tags": [
              "mailing-list",
              "x_refsource_MLIST",
              "x_transferred"
            ],
            "url": "https://lists.apache.org/thread.html/84a3714f0878781f6ed84473d1a503d2cc382277e100450209231830%40%3Ccvs.httpd.apache.org%3E"
          },
          {
            "name": "[httpd-cvs] 20190815 svn commit: r1048743 [3/4] - in /websites/staging/httpd/trunk/content: ./ security/vulnerabilities-httpd.xml security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_22.html security/vulnerabilities_24.html",
            "tags": [
              "mailing-list",
              "x_refsource_MLIST",
              "x_transferred"
            ],
            "url": "https://lists.apache.org/thread.html/8d63cb8e9100f28a99429b4328e4e7cebce861d5772ac9863ba2ae6f%40%3Ccvs.httpd.apache.org%3E"
          },
          {
            "name": "[httpd-cvs] 20190815 svn commit: r1048742 [3/4] - in /websites/staging/httpd/trunk/content: ./ security/vulnerabilities-httpd.xml security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_22.html security/vulnerabilities_24.html",
            "tags": [
              "mailing-list",
              "x_refsource_MLIST",
              "x_transferred"
            ],
            "url": "https://lists.apache.org/thread.html/f7f95ac1cd9895db2714fa3ebaa0b94d0c6df360f742a40951384a53%40%3Ccvs.httpd.apache.org%3E"
          },
          {
            "name": "[httpd-cvs] 20200401 svn commit: r1058586 [3/4] - in /websites/staging/httpd/trunk/content: ./ security/vulnerabilities-httpd.xml security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_22.html security/vulnerabilities_24.html",
            "tags": [
              "mailing-list",
              "x_refsource_MLIST",
              "x_transferred"
            ],
            "url": "https://lists.apache.org/thread.html/r57608dc51b79102f3952ae06f54d5277b649c86d6533dcd6a7d201f7%40%3Ccvs.httpd.apache.org%3E"
          },
          {
            "name": "[httpd-cvs] 20200401 svn commit: r1058586 [4/4] - in /websites/staging/httpd/trunk/content: ./ security/vulnerabilities-httpd.xml security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_22.html security/vulnerabilities_24.html",
            "tags": [
              "mailing-list",
              "x_refsource_MLIST",
              "x_transferred"
            ],
            "url": "https://lists.apache.org/thread.html/rd18c3c43602e66f9cdcf09f1de233804975b9572b0456cc582390b6f%40%3Ccvs.httpd.apache.org%3E"
          },
          {
            "name": "[httpd-cvs] 20200401 svn commit: r1058587 [4/4] - in /websites/staging/httpd/trunk/content: ./ security/vulnerabilities-httpd.xml security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_22.html security/vulnerabilities_24.html",
            "tags": [
              "mailing-list",
              "x_refsource_MLIST",
              "x_transferred"
            ],
            "url": "https://lists.apache.org/thread.html/re3d27b6250aa8548b8845d314bb8a350b3df326cacbbfdfe4d455234%40%3Ccvs.httpd.apache.org%3E"
          },
          {
            "name": "[httpd-cvs] 20200401 svn commit: r1058587 [3/4] - in /websites/staging/httpd/trunk/content: ./ security/vulnerabilities-httpd.xml security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_22.html security/vulnerabilities_24.html",
            "tags": [
              "mailing-list",
              "x_refsource_MLIST",
              "x_transferred"
            ],
            "url": "https://lists.apache.org/thread.html/rfbaf647d52c1cb843e726a0933f156366a806cead84fbd430951591b%40%3Ccvs.httpd.apache.org%3E"
          },
          {
            "name": "[httpd-cvs] 20210330 svn commit: r1073139 [1/13] - in /websites/staging/httpd/trunk/content: ./ security/json/",
            "tags": [
              "mailing-list",
              "x_refsource_MLIST",
              "x_transferred"
            ],
            "url": "https://lists.apache.org/thread.html/rf6449464fd8b7437704c55f88361b66f12d5b5f90bcce66af4be4ba9%40%3Ccvs.httpd.apache.org%3E"
          },
          {
            "name": "[httpd-cvs] 20210330 svn commit: r1073140 [3/4] - in /websites/staging/httpd/trunk/content: ./ security/cvejsontohtml.py security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_22.html security/vulnerabilities_24.html",
            "tags": [
              "mailing-list",
              "x_refsource_MLIST",
              "x_transferred"
            ],
            "url": "https://lists.apache.org/thread.html/r9ea3538f229874c80a10af473856a81fbf5f694cd7f471cc679ba70b%40%3Ccvs.httpd.apache.org%3E"
          },
          {
            "name": "[httpd-cvs] 20210330 svn commit: r1073140 [4/4] - in /websites/staging/httpd/trunk/content: ./ security/cvejsontohtml.py security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_22.html security/vulnerabilities_24.html",
            "tags": [
              "mailing-list",
              "x_refsource_MLIST",
              "x_transferred"
            ],
            "url": "https://lists.apache.org/thread.html/rc998b18880df98bafaade071346690c2bc1444adaa1a1ea464b93f0a%40%3Ccvs.httpd.apache.org%3E"
          },
          {
            "name": "[httpd-cvs] 20210330 svn commit: r1888194 [10/13] - /httpd/site/trunk/content/security/json/",
            "tags": [
              "mailing-list",
              "x_refsource_MLIST",
              "x_transferred"
            ],
            "url": "https://lists.apache.org/thread.html/re1e3a24664d35bcd0a0e793e0b5fc6ca6c107f99a1b2c545c5d4b467%40%3Ccvs.httpd.apache.org%3E"
          },
          {
            "name": "[httpd-cvs] 20210330 svn commit: r1073139 [10/13] - in /websites/staging/httpd/trunk/content: ./ security/json/",
            "tags": [
              "mailing-list",
              "x_refsource_MLIST",
              "x_transferred"
            ],
            "url": "https://lists.apache.org/thread.html/r04e89e873d54116a0635ef2f7061c15acc5ed27ef7500997beb65d6f%40%3Ccvs.httpd.apache.org%3E"
          },
          {
            "name": "[httpd-cvs] 20210330 svn commit: r1073146 [2/3] - in /websites/staging/httpd/trunk/content: ./ security/cvejsontohtml.py security/vulnerabilities-httpd.xml security/vulnerabilities_22.html security/vulnerabilities_24.html",
            "tags": [
              "mailing-list",
              "x_refsource_MLIST",
              "x_transferred"
            ],
            "url": "https://lists.apache.org/thread.html/rdca61ae990660bacb682295f2a09d34612b7bb5f457577fe17f4d064%40%3Ccvs.httpd.apache.org%3E"
          },
          {
            "name": "[httpd-cvs] 20210330 svn commit: r1073149 [1/13] - in /websites/staging/httpd/trunk/content: ./ security/ security/json/",
            "tags": [
              "mailing-list",
              "x_refsource_MLIST",
              "x_transferred"
            ],
            "url": "https://lists.apache.org/thread.html/r9f93cf6dde308d42a9c807784e8102600d0397f5f834890708bf6920%40%3Ccvs.httpd.apache.org%3E"
          },
          {
            "name": "[httpd-cvs] 20210330 svn commit: r1073146 [3/3] - in /websites/staging/httpd/trunk/content: ./ security/cvejsontohtml.py security/vulnerabilities-httpd.xml security/vulnerabilities_22.html security/vulnerabilities_24.html",
            "tags": [
              "mailing-list",
              "x_refsource_MLIST",
              "x_transferred"
            ],
            "url": "https://lists.apache.org/thread.html/rcc44594d4d6579b90deccd4536b5d31f099ef563df39b094be286b9e%40%3Ccvs.httpd.apache.org%3E"
          },
          {
            "name": "[httpd-cvs] 20210330 svn commit: r1073149 [10/13] - in /websites/staging/httpd/trunk/content: ./ security/ security/json/",
            "tags": [
              "mailing-list",
              "x_refsource_MLIST",
              "x_transferred"
            ],
            "url": "https://lists.apache.org/thread.html/rb14daf9cc4e28d18cdc15d6a6ca74e565672fabf7ad89541071d008b%40%3Ccvs.httpd.apache.org%3E"
          },
          {
            "name": "[httpd-cvs] 20210603 svn commit: r1075360 [2/3] - in /websites/staging/httpd/trunk/content: ./ security/json/CVE-2021-31618.json security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_22.html security/vulnerabilities_24.html",
            "tags": [
              "mailing-list",
              "x_refsource_MLIST",
              "x_transferred"
            ],
            "url": "https://lists.apache.org/thread.html/rad01d817195e6cc871cb1d73b207ca326379a20a6e7f30febaf56d24%40%3Ccvs.httpd.apache.org%3E"
          },
          {
            "name": "[httpd-cvs] 20210603 svn commit: r1075360 [3/3] - in /websites/staging/httpd/trunk/content: ./ security/json/CVE-2021-31618.json security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_22.html security/vulnerabilities_24.html",
            "tags": [
              "mailing-list",
              "x_refsource_MLIST",
              "x_transferred"
            ],
            "url": "https://lists.apache.org/thread.html/rd336919f655b7ff309385e34a143e41c503e133da80414485b3abcc9%40%3Ccvs.httpd.apache.org%3E"
          },
          {
            "name": "[httpd-cvs] 20210606 svn commit: r1075467 [2/2] - in /websites/staging/httpd/trunk/content: ./ security/json/CVE-2021-31618.json security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_22.html security/vulnerabilities_24.html",
            "tags": [
              "mailing-list",
              "x_refsource_MLIST",
              "x_transferred"
            ],
            "url": "https://lists.apache.org/thread.html/r476d175be0aaf4a17680ef98c5153b4d336eaef76fb2224cc94c463a%40%3Ccvs.httpd.apache.org%3E"
          },
          {
            "name": "[httpd-cvs] 20210606 svn commit: r1075470 [3/4] - in /websites/staging/httpd/trunk/content: ./ security/json/CVE-2020-13938.json security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_22.html security/vulnerabilities_24.html",
            "tags": [
              "mailing-list",
              "x_refsource_MLIST",
              "x_transferred"
            ],
            "url": "https://lists.apache.org/thread.html/r75cbe9ea3e2114e4271bbeca7aff96117b50c1b6eb7c4772b0337c1f%40%3Ccvs.httpd.apache.org%3E"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "n/a",
          "vendor": "n/a",
          "versions": [
            {
              "status": "affected",
              "version": "n/a"
            }
          ]
        }
      ],
      "datePublic": "2016-07-18T00:00:00.000Z",
      "descriptions": [
        {
          "lang": "en",
          "value": "The Apache HTTP Server through 2.4.23 follows RFC 3875 section 4.1.18 and therefore does not protect applications from the presence of untrusted client data in the HTTP_PROXY environment variable, which might allow remote attackers to redirect an application\u0027s outbound HTTP traffic to an arbitrary proxy server via a crafted Proxy header in an HTTP request, aka an \"httpoxy\" issue.  NOTE: the vendor states \"This mitigation has been assigned the identifier CVE-2016-5387\"; in other words, this is not a CVE ID for a vulnerability."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "n/a",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2021-06-06T10:11:53.000Z",
        "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
        "shortName": "redhat"
      },
      "references": [
        {
          "name": "1036330",
          "tags": [
            "vdb-entry",
            "x_refsource_SECTRACK"
          ],
          "url": "http://www.securitytracker.com/id/1036330"
        },
        {
          "name": "RHSA-2016:1420",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2016:1420"
        },
        {
          "name": "RHSA-2016:1635",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2016:1635"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://support.apple.com/HT208221"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05320149"
        },
        {
          "name": "91816",
          "tags": [
            "vdb-entry",
            "x_refsource_BID"
          ],
          "url": "http://www.securityfocus.com/bid/91816"
        },
        {
          "name": "RHSA-2016:1851",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2016:1851"
        },
        {
          "name": "USN-3038-1",
          "tags": [
            "vendor-advisory",
            "x_refsource_UBUNTU"
          ],
          "url": "http://www.ubuntu.com/usn/USN-3038-1"
        },
        {
          "name": "VU#797896",
          "tags": [
            "third-party-advisory",
            "x_refsource_CERT-VN"
          ],
          "url": "http://www.kb.cert.org/vuls/id/797896"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "http://www.oracle.com/technetwork/security-advisory/cpujan2018-3236628.html"
        },
        {
          "name": "openSUSE-SU-2016:1824",
          "tags": [
            "vendor-advisory",
            "x_refsource_SUSE"
          ],
          "url": "http://lists.opensuse.org/opensuse-updates/2016-07/msg00059.html"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "http://www.oracle.com/technetwork/topics/security/linuxbulletinjul2016-3090544.html"
        },
        {
          "name": "RHSA-2016:1648",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "http://rhn.redhat.com/errata/RHSA-2016-1648.html"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://www.tenable.com/security/tns-2017-04"
        },
        {
          "name": "RHSA-2016:1625",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "http://rhn.redhat.com/errata/RHSA-2016-1625.html"
        },
        {
          "name": "DSA-3623",
          "tags": [
            "vendor-advisory",
            "x_refsource_DEBIAN"
          ],
          "url": "http://www.debian.org/security/2016/dsa-3623"
        },
        {
          "name": "RHSA-2016:1649",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "http://rhn.redhat.com/errata/RHSA-2016-1649.html"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05390722"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://h20566.www2.hpe.com/hpsc/doc/public/display?docLocale=en_US\u0026docId=emr_na-hpesbhf03770en_us"
        },
        {
          "name": "RHSA-2016:1422",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2016:1422"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "http://www.oracle.com/technetwork/topics/security/bulletinoct2016-3090566.html"
        },
        {
          "name": "RHSA-2016:1421",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2016:1421"
        },
        {
          "name": "FEDORA-2016-a29c65b00f",
          "tags": [
            "vendor-advisory",
            "x_refsource_FEDORA"
          ],
          "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6WCTE7443AYZ4EGELWLVNANA2WJCJIYI/"
        },
        {
          "name": "RHSA-2016:1650",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "http://rhn.redhat.com/errata/RHSA-2016-1650.html"
        },
        {
          "name": "RHSA-2016:1624",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "http://rhn.redhat.com/errata/RHSA-2016-1624.html"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://www.apache.org/security/asf-httpoxy-response.txt"
        },
        {
          "name": "FEDORA-2016-df0726ae26",
          "tags": [
            "vendor-advisory",
            "x_refsource_FEDORA"
          ],
          "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/TGNHXJJSWDXAOEYH5TMXDPQVJMQQJOAZ/"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://httpoxy.org/"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "http://www.oracle.com/technetwork/security-advisory/cpujul2017-3236622.html"
        },
        {
          "name": "GLSA-201701-36",
          "tags": [
            "vendor-advisory",
            "x_refsource_GENTOO"
          ],
          "url": "https://security.gentoo.org/glsa/201701-36"
        },
        {
          "name": "RHSA-2016:1636",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2016:1636"
        },
        {
          "name": "FEDORA-2016-9fd9bfab9e",
          "tags": [
            "vendor-advisory",
            "x_refsource_FEDORA"
          ],
          "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/NEKZAB7MTWVSMORHTEMCQNFFMIHCYF76/"
        },
        {
          "name": "FEDORA-2016-683d0b257b",
          "tags": [
            "vendor-advisory",
            "x_refsource_FEDORA"
          ],
          "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QPQAPWQA774JPDRV4UIB2SZAX6D3UZCV/"
        },
        {
          "name": "[httpd-cvs] 20190815 svn commit: r1048743 [4/4] - in /websites/staging/httpd/trunk/content: ./ security/vulnerabilities-httpd.xml security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_22.html security/vulnerabilities_24.html",
          "tags": [
            "mailing-list",
            "x_refsource_MLIST"
          ],
          "url": "https://lists.apache.org/thread.html/56c2e7cc9deb1c12a843d0dc251ea7fd3e7e80293cde02fcd65286ba%40%3Ccvs.httpd.apache.org%3E"
        },
        {
          "name": "[httpd-cvs] 20190815 svn commit: r1048742 [4/4] - in /websites/staging/httpd/trunk/content: ./ security/vulnerabilities-httpd.xml security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_22.html security/vulnerabilities_24.html",
          "tags": [
            "mailing-list",
            "x_refsource_MLIST"
          ],
          "url": "https://lists.apache.org/thread.html/84a3714f0878781f6ed84473d1a503d2cc382277e100450209231830%40%3Ccvs.httpd.apache.org%3E"
        },
        {
          "name": "[httpd-cvs] 20190815 svn commit: r1048743 [3/4] - in /websites/staging/httpd/trunk/content: ./ security/vulnerabilities-httpd.xml security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_22.html security/vulnerabilities_24.html",
          "tags": [
            "mailing-list",
            "x_refsource_MLIST"
          ],
          "url": "https://lists.apache.org/thread.html/8d63cb8e9100f28a99429b4328e4e7cebce861d5772ac9863ba2ae6f%40%3Ccvs.httpd.apache.org%3E"
        },
        {
          "name": "[httpd-cvs] 20190815 svn commit: r1048742 [3/4] - in /websites/staging/httpd/trunk/content: ./ security/vulnerabilities-httpd.xml security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_22.html security/vulnerabilities_24.html",
          "tags": [
            "mailing-list",
            "x_refsource_MLIST"
          ],
          "url": "https://lists.apache.org/thread.html/f7f95ac1cd9895db2714fa3ebaa0b94d0c6df360f742a40951384a53%40%3Ccvs.httpd.apache.org%3E"
        },
        {
          "name": "[httpd-cvs] 20200401 svn commit: r1058586 [3/4] - in /websites/staging/httpd/trunk/content: ./ security/vulnerabilities-httpd.xml security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_22.html security/vulnerabilities_24.html",
          "tags": [
            "mailing-list",
            "x_refsource_MLIST"
          ],
          "url": "https://lists.apache.org/thread.html/r57608dc51b79102f3952ae06f54d5277b649c86d6533dcd6a7d201f7%40%3Ccvs.httpd.apache.org%3E"
        },
        {
          "name": "[httpd-cvs] 20200401 svn commit: r1058586 [4/4] - in /websites/staging/httpd/trunk/content: ./ security/vulnerabilities-httpd.xml security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_22.html security/vulnerabilities_24.html",
          "tags": [
            "mailing-list",
            "x_refsource_MLIST"
          ],
          "url": "https://lists.apache.org/thread.html/rd18c3c43602e66f9cdcf09f1de233804975b9572b0456cc582390b6f%40%3Ccvs.httpd.apache.org%3E"
        },
        {
          "name": "[httpd-cvs] 20200401 svn commit: r1058587 [4/4] - in /websites/staging/httpd/trunk/content: ./ security/vulnerabilities-httpd.xml security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_22.html security/vulnerabilities_24.html",
          "tags": [
            "mailing-list",
            "x_refsource_MLIST"
          ],
          "url": "https://lists.apache.org/thread.html/re3d27b6250aa8548b8845d314bb8a350b3df326cacbbfdfe4d455234%40%3Ccvs.httpd.apache.org%3E"
        },
        {
          "name": "[httpd-cvs] 20200401 svn commit: r1058587 [3/4] - in /websites/staging/httpd/trunk/content: ./ security/vulnerabilities-httpd.xml security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_22.html security/vulnerabilities_24.html",
          "tags": [
            "mailing-list",
            "x_refsource_MLIST"
          ],
          "url": "https://lists.apache.org/thread.html/rfbaf647d52c1cb843e726a0933f156366a806cead84fbd430951591b%40%3Ccvs.httpd.apache.org%3E"
        },
        {
          "name": "[httpd-cvs] 20210330 svn commit: r1073139 [1/13] - in /websites/staging/httpd/trunk/content: ./ security/json/",
          "tags": [
            "mailing-list",
            "x_refsource_MLIST"
          ],
          "url": "https://lists.apache.org/thread.html/rf6449464fd8b7437704c55f88361b66f12d5b5f90bcce66af4be4ba9%40%3Ccvs.httpd.apache.org%3E"
        },
        {
          "name": "[httpd-cvs] 20210330 svn commit: r1073140 [3/4] - in /websites/staging/httpd/trunk/content: ./ security/cvejsontohtml.py security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_22.html security/vulnerabilities_24.html",
          "tags": [
            "mailing-list",
            "x_refsource_MLIST"
          ],
          "url": "https://lists.apache.org/thread.html/r9ea3538f229874c80a10af473856a81fbf5f694cd7f471cc679ba70b%40%3Ccvs.httpd.apache.org%3E"
        },
        {
          "name": "[httpd-cvs] 20210330 svn commit: r1073140 [4/4] - in /websites/staging/httpd/trunk/content: ./ security/cvejsontohtml.py security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_22.html security/vulnerabilities_24.html",
          "tags": [
            "mailing-list",
            "x_refsource_MLIST"
          ],
          "url": "https://lists.apache.org/thread.html/rc998b18880df98bafaade071346690c2bc1444adaa1a1ea464b93f0a%40%3Ccvs.httpd.apache.org%3E"
        },
        {
          "name": "[httpd-cvs] 20210330 svn commit: r1888194 [10/13] - /httpd/site/trunk/content/security/json/",
          "tags": [
            "mailing-list",
            "x_refsource_MLIST"
          ],
          "url": "https://lists.apache.org/thread.html/re1e3a24664d35bcd0a0e793e0b5fc6ca6c107f99a1b2c545c5d4b467%40%3Ccvs.httpd.apache.org%3E"
        },
        {
          "name": "[httpd-cvs] 20210330 svn commit: r1073139 [10/13] - in /websites/staging/httpd/trunk/content: ./ security/json/",
          "tags": [
            "mailing-list",
            "x_refsource_MLIST"
          ],
          "url": "https://lists.apache.org/thread.html/r04e89e873d54116a0635ef2f7061c15acc5ed27ef7500997beb65d6f%40%3Ccvs.httpd.apache.org%3E"
        },
        {
          "name": "[httpd-cvs] 20210330 svn commit: r1073146 [2/3] - in /websites/staging/httpd/trunk/content: ./ security/cvejsontohtml.py security/vulnerabilities-httpd.xml security/vulnerabilities_22.html security/vulnerabilities_24.html",
          "tags": [
            "mailing-list",
            "x_refsource_MLIST"
          ],
          "url": "https://lists.apache.org/thread.html/rdca61ae990660bacb682295f2a09d34612b7bb5f457577fe17f4d064%40%3Ccvs.httpd.apache.org%3E"
        },
        {
          "name": "[httpd-cvs] 20210330 svn commit: r1073149 [1/13] - in /websites/staging/httpd/trunk/content: ./ security/ security/json/",
          "tags": [
            "mailing-list",
            "x_refsource_MLIST"
          ],
          "url": "https://lists.apache.org/thread.html/r9f93cf6dde308d42a9c807784e8102600d0397f5f834890708bf6920%40%3Ccvs.httpd.apache.org%3E"
        },
        {
          "name": "[httpd-cvs] 20210330 svn commit: r1073146 [3/3] - in /websites/staging/httpd/trunk/content: ./ security/cvejsontohtml.py security/vulnerabilities-httpd.xml security/vulnerabilities_22.html security/vulnerabilities_24.html",
          "tags": [
            "mailing-list",
            "x_refsource_MLIST"
          ],
          "url": "https://lists.apache.org/thread.html/rcc44594d4d6579b90deccd4536b5d31f099ef563df39b094be286b9e%40%3Ccvs.httpd.apache.org%3E"
        },
        {
          "name": "[httpd-cvs] 20210330 svn commit: r1073149 [10/13] - in /websites/staging/httpd/trunk/content: ./ security/ security/json/",
          "tags": [
            "mailing-list",
            "x_refsource_MLIST"
          ],
          "url": "https://lists.apache.org/thread.html/rb14daf9cc4e28d18cdc15d6a6ca74e565672fabf7ad89541071d008b%40%3Ccvs.httpd.apache.org%3E"
        },
        {
          "name": "[httpd-cvs] 20210603 svn commit: r1075360 [2/3] - in /websites/staging/httpd/trunk/content: ./ security/json/CVE-2021-31618.json security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_22.html security/vulnerabilities_24.html",
          "tags": [
            "mailing-list",
            "x_refsource_MLIST"
          ],
          "url": "https://lists.apache.org/thread.html/rad01d817195e6cc871cb1d73b207ca326379a20a6e7f30febaf56d24%40%3Ccvs.httpd.apache.org%3E"
        },
        {
          "name": "[httpd-cvs] 20210603 svn commit: r1075360 [3/3] - in /websites/staging/httpd/trunk/content: ./ security/json/CVE-2021-31618.json security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_22.html security/vulnerabilities_24.html",
          "tags": [
            "mailing-list",
            "x_refsource_MLIST"
          ],
          "url": "https://lists.apache.org/thread.html/rd336919f655b7ff309385e34a143e41c503e133da80414485b3abcc9%40%3Ccvs.httpd.apache.org%3E"
        },
        {
          "name": "[httpd-cvs] 20210606 svn commit: r1075467 [2/2] - in /websites/staging/httpd/trunk/content: ./ security/json/CVE-2021-31618.json security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_22.html security/vulnerabilities_24.html",
          "tags": [
            "mailing-list",
            "x_refsource_MLIST"
          ],
          "url": "https://lists.apache.org/thread.html/r476d175be0aaf4a17680ef98c5153b4d336eaef76fb2224cc94c463a%40%3Ccvs.httpd.apache.org%3E"
        },
        {
          "name": "[httpd-cvs] 20210606 svn commit: r1075470 [3/4] - in /websites/staging/httpd/trunk/content: ./ security/json/CVE-2020-13938.json security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_22.html security/vulnerabilities_24.html",
          "tags": [
            "mailing-list",
            "x_refsource_MLIST"
          ],
          "url": "https://lists.apache.org/thread.html/r75cbe9ea3e2114e4271bbeca7aff96117b50c1b6eb7c4772b0337c1f%40%3Ccvs.httpd.apache.org%3E"
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "secalert@redhat.com",
          "ID": "CVE-2016-5387",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "n/a",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "n/a"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "n/a"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "The Apache HTTP Server through 2.4.23 follows RFC 3875 section 4.1.18 and therefore does not protect applications from the presence of untrusted client data in the HTTP_PROXY environment variable, which might allow remote attackers to redirect an application\u0027s outbound HTTP traffic to an arbitrary proxy server via a crafted Proxy header in an HTTP request, aka an \"httpoxy\" issue.  NOTE: the vendor states \"This mitigation has been assigned the identifier CVE-2016-5387\"; in other words, this is not a CVE ID for a vulnerability."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "n/a"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "1036330",
              "refsource": "SECTRACK",
              "url": "http://www.securitytracker.com/id/1036330"
            },
            {
              "name": "RHSA-2016:1420",
              "refsource": "REDHAT",
              "url": "https://access.redhat.com/errata/RHSA-2016:1420"
            },
            {
              "name": "RHSA-2016:1635",
              "refsource": "REDHAT",
              "url": "https://access.redhat.com/errata/RHSA-2016:1635"
            },
            {
              "name": "https://support.apple.com/HT208221",
              "refsource": "CONFIRM",
              "url": "https://support.apple.com/HT208221"
            },
            {
              "name": "https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05320149",
              "refsource": "CONFIRM",
              "url": "https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05320149"
            },
            {
              "name": "91816",
              "refsource": "BID",
              "url": "http://www.securityfocus.com/bid/91816"
            },
            {
              "name": "RHSA-2016:1851",
              "refsource": "REDHAT",
              "url": "https://access.redhat.com/errata/RHSA-2016:1851"
            },
            {
              "name": "USN-3038-1",
              "refsource": "UBUNTU",
              "url": "http://www.ubuntu.com/usn/USN-3038-1"
            },
            {
              "name": "VU#797896",
              "refsource": "CERT-VN",
              "url": "http://www.kb.cert.org/vuls/id/797896"
            },
            {
              "name": "http://www.oracle.com/technetwork/security-advisory/cpujan2018-3236628.html",
              "refsource": "CONFIRM",
              "url": "http://www.oracle.com/technetwork/security-advisory/cpujan2018-3236628.html"
            },
            {
              "name": "openSUSE-SU-2016:1824",
              "refsource": "SUSE",
              "url": "http://lists.opensuse.org/opensuse-updates/2016-07/msg00059.html"
            },
            {
              "name": "http://www.oracle.com/technetwork/topics/security/linuxbulletinjul2016-3090544.html",
              "refsource": "CONFIRM",
              "url": "http://www.oracle.com/technetwork/topics/security/linuxbulletinjul2016-3090544.html"
            },
            {
              "name": "RHSA-2016:1648",
              "refsource": "REDHAT",
              "url": "http://rhn.redhat.com/errata/RHSA-2016-1648.html"
            },
            {
              "name": "https://www.tenable.com/security/tns-2017-04",
              "refsource": "CONFIRM",
              "url": "https://www.tenable.com/security/tns-2017-04"
            },
            {
              "name": "RHSA-2016:1625",
              "refsource": "REDHAT",
              "url": "http://rhn.redhat.com/errata/RHSA-2016-1625.html"
            },
            {
              "name": "DSA-3623",
              "refsource": "DEBIAN",
              "url": "http://www.debian.org/security/2016/dsa-3623"
            },
            {
              "name": "RHSA-2016:1649",
              "refsource": "REDHAT",
              "url": "http://rhn.redhat.com/errata/RHSA-2016-1649.html"
            },
            {
              "name": "https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05390722",
              "refsource": "CONFIRM",
              "url": "https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05390722"
            },
            {
              "name": "https://h20566.www2.hpe.com/hpsc/doc/public/display?docLocale=en_US\u0026docId=emr_na-hpesbhf03770en_us",
              "refsource": "CONFIRM",
              "url": "https://h20566.www2.hpe.com/hpsc/doc/public/display?docLocale=en_US\u0026docId=emr_na-hpesbhf03770en_us"
            },
            {
              "name": "RHSA-2016:1422",
              "refsource": "REDHAT",
              "url": "https://access.redhat.com/errata/RHSA-2016:1422"
            },
            {
              "name": "http://www.oracle.com/technetwork/topics/security/bulletinoct2016-3090566.html",
              "refsource": "CONFIRM",
              "url": "http://www.oracle.com/technetwork/topics/security/bulletinoct2016-3090566.html"
            },
            {
              "name": "RHSA-2016:1421",
              "refsource": "REDHAT",
              "url": "https://access.redhat.com/errata/RHSA-2016:1421"
            },
            {
              "name": "FEDORA-2016-a29c65b00f",
              "refsource": "FEDORA",
              "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6WCTE7443AYZ4EGELWLVNANA2WJCJIYI/"
            },
            {
              "name": "RHSA-2016:1650",
              "refsource": "REDHAT",
              "url": "http://rhn.redhat.com/errata/RHSA-2016-1650.html"
            },
            {
              "name": "RHSA-2016:1624",
              "refsource": "REDHAT",
              "url": "http://rhn.redhat.com/errata/RHSA-2016-1624.html"
            },
            {
              "name": "https://www.apache.org/security/asf-httpoxy-response.txt",
              "refsource": "CONFIRM",
              "url": "https://www.apache.org/security/asf-httpoxy-response.txt"
            },
            {
              "name": "FEDORA-2016-df0726ae26",
              "refsource": "FEDORA",
              "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TGNHXJJSWDXAOEYH5TMXDPQVJMQQJOAZ/"
            },
            {
              "name": "https://httpoxy.org/",
              "refsource": "MISC",
              "url": "https://httpoxy.org/"
            },
            {
              "name": "http://www.oracle.com/technetwork/security-advisory/cpujul2017-3236622.html",
              "refsource": "CONFIRM",
              "url": "http://www.oracle.com/technetwork/security-advisory/cpujul2017-3236622.html"
            },
            {
              "name": "GLSA-201701-36",
              "refsource": "GENTOO",
              "url": "https://security.gentoo.org/glsa/201701-36"
            },
            {
              "name": "RHSA-2016:1636",
              "refsource": "REDHAT",
              "url": "https://access.redhat.com/errata/RHSA-2016:1636"
            },
            {
              "name": "FEDORA-2016-9fd9bfab9e",
              "refsource": "FEDORA",
              "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NEKZAB7MTWVSMORHTEMCQNFFMIHCYF76/"
            },
            {
              "name": "FEDORA-2016-683d0b257b",
              "refsource": "FEDORA",
              "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QPQAPWQA774JPDRV4UIB2SZAX6D3UZCV/"
            },
            {
              "name": "[httpd-cvs] 20190815 svn commit: r1048743 [4/4] - in /websites/staging/httpd/trunk/content: ./ security/vulnerabilities-httpd.xml security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_22.html security/vulnerabilities_24.html",
              "refsource": "MLIST",
              "url": "https://lists.apache.org/thread.html/56c2e7cc9deb1c12a843d0dc251ea7fd3e7e80293cde02fcd65286ba@%3Ccvs.httpd.apache.org%3E"
            },
            {
              "name": "[httpd-cvs] 20190815 svn commit: r1048742 [4/4] - in /websites/staging/httpd/trunk/content: ./ security/vulnerabilities-httpd.xml security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_22.html security/vulnerabilities_24.html",
              "refsource": "MLIST",
              "url": "https://lists.apache.org/thread.html/84a3714f0878781f6ed84473d1a503d2cc382277e100450209231830@%3Ccvs.httpd.apache.org%3E"
            },
            {
              "name": "[httpd-cvs] 20190815 svn commit: r1048743 [3/4] - in /websites/staging/httpd/trunk/content: ./ security/vulnerabilities-httpd.xml security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_22.html security/vulnerabilities_24.html",
              "refsource": "MLIST",
              "url": "https://lists.apache.org/thread.html/8d63cb8e9100f28a99429b4328e4e7cebce861d5772ac9863ba2ae6f@%3Ccvs.httpd.apache.org%3E"
            },
            {
              "name": "[httpd-cvs] 20190815 svn commit: r1048742 [3/4] - in /websites/staging/httpd/trunk/content: ./ security/vulnerabilities-httpd.xml security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_22.html security/vulnerabilities_24.html",
              "refsource": "MLIST",
              "url": "https://lists.apache.org/thread.html/f7f95ac1cd9895db2714fa3ebaa0b94d0c6df360f742a40951384a53@%3Ccvs.httpd.apache.org%3E"
            },
            {
              "name": "[httpd-cvs] 20200401 svn commit: r1058586 [3/4] - in /websites/staging/httpd/trunk/content: ./ security/vulnerabilities-httpd.xml security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_22.html security/vulnerabilities_24.html",
              "refsource": "MLIST",
              "url": "https://lists.apache.org/thread.html/r57608dc51b79102f3952ae06f54d5277b649c86d6533dcd6a7d201f7@%3Ccvs.httpd.apache.org%3E"
            },
            {
              "name": "[httpd-cvs] 20200401 svn commit: r1058586 [4/4] - in /websites/staging/httpd/trunk/content: ./ security/vulnerabilities-httpd.xml security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_22.html security/vulnerabilities_24.html",
              "refsource": "MLIST",
              "url": "https://lists.apache.org/thread.html/rd18c3c43602e66f9cdcf09f1de233804975b9572b0456cc582390b6f@%3Ccvs.httpd.apache.org%3E"
            },
            {
              "name": "[httpd-cvs] 20200401 svn commit: r1058587 [4/4] - in /websites/staging/httpd/trunk/content: ./ security/vulnerabilities-httpd.xml security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_22.html security/vulnerabilities_24.html",
              "refsource": "MLIST",
              "url": "https://lists.apache.org/thread.html/re3d27b6250aa8548b8845d314bb8a350b3df326cacbbfdfe4d455234@%3Ccvs.httpd.apache.org%3E"
            },
            {
              "name": "[httpd-cvs] 20200401 svn commit: r1058587 [3/4] - in /websites/staging/httpd/trunk/content: ./ security/vulnerabilities-httpd.xml security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_22.html security/vulnerabilities_24.html",
              "refsource": "MLIST",
              "url": "https://lists.apache.org/thread.html/rfbaf647d52c1cb843e726a0933f156366a806cead84fbd430951591b@%3Ccvs.httpd.apache.org%3E"
            },
            {
              "name": "[httpd-cvs] 20210330 svn commit: r1073139 [1/13] - in /websites/staging/httpd/trunk/content: ./ security/json/",
              "refsource": "MLIST",
              "url": "https://lists.apache.org/thread.html/rf6449464fd8b7437704c55f88361b66f12d5b5f90bcce66af4be4ba9@%3Ccvs.httpd.apache.org%3E"
            },
            {
              "name": "[httpd-cvs] 20210330 svn commit: r1073140 [3/4] - in /websites/staging/httpd/trunk/content: ./ security/cvejsontohtml.py security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_22.html security/vulnerabilities_24.html",
              "refsource": "MLIST",
              "url": "https://lists.apache.org/thread.html/r9ea3538f229874c80a10af473856a81fbf5f694cd7f471cc679ba70b@%3Ccvs.httpd.apache.org%3E"
            },
            {
              "name": "[httpd-cvs] 20210330 svn commit: r1073140 [4/4] - in /websites/staging/httpd/trunk/content: ./ security/cvejsontohtml.py security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_22.html security/vulnerabilities_24.html",
              "refsource": "MLIST",
              "url": "https://lists.apache.org/thread.html/rc998b18880df98bafaade071346690c2bc1444adaa1a1ea464b93f0a@%3Ccvs.httpd.apache.org%3E"
            },
            {
              "name": "[httpd-cvs] 20210330 svn commit: r1888194 [10/13] - /httpd/site/trunk/content/security/json/",
              "refsource": "MLIST",
              "url": "https://lists.apache.org/thread.html/re1e3a24664d35bcd0a0e793e0b5fc6ca6c107f99a1b2c545c5d4b467@%3Ccvs.httpd.apache.org%3E"
            },
            {
              "name": "[httpd-cvs] 20210330 svn commit: r1073139 [10/13] - in /websites/staging/httpd/trunk/content: ./ security/json/",
              "refsource": "MLIST",
              "url": "https://lists.apache.org/thread.html/r04e89e873d54116a0635ef2f7061c15acc5ed27ef7500997beb65d6f@%3Ccvs.httpd.apache.org%3E"
            },
            {
              "name": "[httpd-cvs] 20210330 svn commit: r1073146 [2/3] - in /websites/staging/httpd/trunk/content: ./ security/cvejsontohtml.py security/vulnerabilities-httpd.xml security/vulnerabilities_22.html security/vulnerabilities_24.html",
              "refsource": "MLIST",
              "url": "https://lists.apache.org/thread.html/rdca61ae990660bacb682295f2a09d34612b7bb5f457577fe17f4d064@%3Ccvs.httpd.apache.org%3E"
            },
            {
              "name": "[httpd-cvs] 20210330 svn commit: r1073149 [1/13] - in /websites/staging/httpd/trunk/content: ./ security/ security/json/",
              "refsource": "MLIST",
              "url": "https://lists.apache.org/thread.html/r9f93cf6dde308d42a9c807784e8102600d0397f5f834890708bf6920@%3Ccvs.httpd.apache.org%3E"
            },
            {
              "name": "[httpd-cvs] 20210330 svn commit: r1073146 [3/3] - in /websites/staging/httpd/trunk/content: ./ security/cvejsontohtml.py security/vulnerabilities-httpd.xml security/vulnerabilities_22.html security/vulnerabilities_24.html",
              "refsource": "MLIST",
              "url": "https://lists.apache.org/thread.html/rcc44594d4d6579b90deccd4536b5d31f099ef563df39b094be286b9e@%3Ccvs.httpd.apache.org%3E"
            },
            {
              "name": "[httpd-cvs] 20210330 svn commit: r1073149 [10/13] - in /websites/staging/httpd/trunk/content: ./ security/ security/json/",
              "refsource": "MLIST",
              "url": "https://lists.apache.org/thread.html/rb14daf9cc4e28d18cdc15d6a6ca74e565672fabf7ad89541071d008b@%3Ccvs.httpd.apache.org%3E"
            },
            {
              "name": "[httpd-cvs] 20210603 svn commit: r1075360 [2/3] - in /websites/staging/httpd/trunk/content: ./ security/json/CVE-2021-31618.json security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_22.html security/vulnerabilities_24.html",
              "refsource": "MLIST",
              "url": "https://lists.apache.org/thread.html/rad01d817195e6cc871cb1d73b207ca326379a20a6e7f30febaf56d24@%3Ccvs.httpd.apache.org%3E"
            },
            {
              "name": "[httpd-cvs] 20210603 svn commit: r1075360 [3/3] - in /websites/staging/httpd/trunk/content: ./ security/json/CVE-2021-31618.json security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_22.html security/vulnerabilities_24.html",
              "refsource": "MLIST",
              "url": "https://lists.apache.org/thread.html/rd336919f655b7ff309385e34a143e41c503e133da80414485b3abcc9@%3Ccvs.httpd.apache.org%3E"
            },
            {
              "name": "[httpd-cvs] 20210606 svn commit: r1075467 [2/2] - in /websites/staging/httpd/trunk/content: ./ security/json/CVE-2021-31618.json security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_22.html security/vulnerabilities_24.html",
              "refsource": "MLIST",
              "url": "https://lists.apache.org/thread.html/r476d175be0aaf4a17680ef98c5153b4d336eaef76fb2224cc94c463a@%3Ccvs.httpd.apache.org%3E"
            },
            {
              "name": "[httpd-cvs] 20210606 svn commit: r1075470 [3/4] - in /websites/staging/httpd/trunk/content: ./ security/json/CVE-2020-13938.json security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_22.html security/vulnerabilities_24.html",
              "refsource": "MLIST",
              "url": "https://lists.apache.org/thread.html/r75cbe9ea3e2114e4271bbeca7aff96117b50c1b6eb7c4772b0337c1f@%3Ccvs.httpd.apache.org%3E"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
    "assignerShortName": "redhat",
    "cveId": "CVE-2016-5387",
    "datePublished": "2016-07-19T01:00:00.000Z",
    "dateReserved": "2016-06-10T00:00:00.000Z",
    "dateUpdated": "2024-08-06T01:00:59.995Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2016-5388 (GCVE-0-2016-5388)

Vulnerability from cvelistv5 – Published: 2016-07-19 01:00 – Updated: 2024-08-06 01:00

Summary

Apache Tomcat 7.x through 7.0.70 and 8.x through 8.5.4, when the CGI Servlet is enabled, follows RFC 3875 section 4.1.18 and therefore does not protect applications from the presence of untrusted client data in the HTTP_PROXY environment variable, which might allow remote attackers to redirect an application's outbound HTTP traffic to an arbitrary proxy server via a crafted Proxy header in an HTTP request, aka an "httpoxy" issue. NOTE: the vendor states "A mitigation is planned for future releases of Tomcat, tracked as CVE-2016-5388"; in other words, this is not a CVE ID for a vulnerability.

Severity ?

No CVSS data available.

CWE

Assigner

redhat

References

URL

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

RHSA-2016:1635

CVE-2016-5387 (GCVE-0-2016-5387)

CVE-2016-5388 (GCVE-0-2016-5388)

Tags

Sightings

Nomenclature