CVE-2016-5388

Published: 18 July 2016

Apache Tomcat 7.x through 7.0.70 and 8.x through 8.5.4, when the CGI Servlet is enabled, follows RFC 3875 section 4.1.18 and therefore does not protect applications from the presence of untrusted client data in the HTTP_PROXY environment variable, which might allow remote attackers to redirect an application's outbound HTTP traffic to an arbitrary proxy server via a crafted Proxy header in an HTTP request, aka an "httpoxy" issue. NOTE: the vendor states "A mitigation is planned for future releases of Tomcat, tracked as CVE-2016-5388"; in other words, this is not a CVE ID for a vulnerability.

Priority

CVSS 3 base score: 8.1

Status

Package	Release	Status
tomcat6 Launchpad, Ubuntu, Debian	Upstream	Needs triage

	Ubuntu 20.10 (Groovy Gorilla)	Does not exist
	Ubuntu 20.04 LTS (Focal Fossa)	Does not exist
	Ubuntu 18.04 LTS (Bionic Beaver)	Does not exist
	Ubuntu 16.04 LTS (Xenial Xerus)	Needed
	Ubuntu 14.04 ESM (Trusty Tahr)	Needed
tomcat7 Launchpad, Ubuntu, Debian	Upstream	Released (7.0.71)

	Ubuntu 20.10 (Groovy Gorilla)	Does not exist
	Ubuntu 20.04 LTS (Focal Fossa)	Does not exist
	Ubuntu 18.04 LTS (Bionic Beaver)	Needed
	Ubuntu 16.04 LTS (Xenial Xerus)	Needed
	Ubuntu 14.04 ESM (Trusty Tahr)	Released (7.0.52-1ubuntu0.8)
	Patches: Upstream: https://svn.apache.org/viewvc?view=revision&revision=1756942
tomcat8 Launchpad, Ubuntu, Debian	Upstream	Released (8.0.37)

	Ubuntu 20.10 (Groovy Gorilla)	Does not exist
	Ubuntu 20.04 LTS (Focal Fossa)	Does not exist
	Ubuntu 18.04 LTS (Bionic Beaver)	Not vulnerable (8.0.38-2)
	Ubuntu 16.04 LTS (Xenial Xerus)	Released (8.0.32-1ubuntu1.3)
	Ubuntu 14.04 ESM (Trusty Tahr)	Does not exist
	Patches: Upstream: https://svn.apache.org/viewvc?view=revision&revision=1756941

Notes

Author	Note
mdeslaur	setting priority to low, see upstream response for workarounds for specific environments

CVE-2016-5388

Low

Status

Notes

References

Join the discussion

Canonical is offering Extended Security Maintenance

Further reading