VIR Vulnerability Intelligence Relay

CVE-2016-5387

high
Published 2016-07-19 ยท Modified 2026-05-06
๐Ÿ’ฌ Discuss on Community โœš Propose mitigation
CVSS v3
8.1
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
CVSS v4 NEW
โ€”
not yet in upstream
VIR risk
8.1

Description

The Apache HTTP Server through 2.4.23 follows RFC 3875 section 4.1.18 and therefore does not protect applications from the presence of untrusted client data in the HTTP_PROXY environment variable, which might allow remote attackers to redirect an application's outbound HTTP traffic to an arbitrary proxy server via a crafted Proxy header in an HTTP request, aka an "httpoxy" issue. NOTE: the vendor states "This mitigation has been assigned the identifier CVE-2016-5387"; in other words, this is not a CVE ID for a vulnerability.

Predictions

Exploit likelihood
88%
Patch ETA
โ€”

Heuristic predictions, AS-IS, for prioritization only.

Mitigations

No mitigations published for this CVE yet.

The vendor-content worker queues fetches as references arrive (check back in a few minutes). Or โ€” if you've already worked around this in production โ€” publish your fix to the community-verified tier.

โœš Propose a mitigation on Community โ†’ Mitigations published via the community go through AI scoring + 2 human reviewers + 7-day silent objection window before landing here with source_tier=community-verified.

OS impact
fedora Fedora Affected 2 releases
VersionStatusFixed in
24 Affected โ€”
23 Affected โ€”
suse SUSE Affected 3 releases
VersionStatusFixed in
42.1 Affected โ€”
13.2 Affected โ€”
โ€” Affected โ€”
ubuntu Ubuntu Affected 4 releases
VersionStatusFixed in
16.04 Affected โ€”
15.10 Affected โ€”
14.04 Affected โ€”
12.04 Affected โ€”
debian Debian Mixed 6 releases
VersionStatusFixed in
trixie Fixed 2.4.23-2
sid Fixed 2.4.23-2
forky Fixed 2.4.23-2
bullseye Fixed 2.4.23-2
bookworm Fixed 2.4.23-2
8.0 Affected โ€”
redhat Red Hat Mixed 8 releases
VersionStatusFixed in
7.7 Affected โ€”
7.6 Affected โ€”
7.5 Affected โ€”
7.4 Affected โ€”
7.3 Affected โ€”
7.2 Affected โ€”
7.0 Not affected โ€”
6.0 Not affected โ€”

Application impact
VendorProductVersionsFixed
apache apachehttp_server{"startIncluding":"2.2.0","endIncluding":"2.2.31"}
hp hpsystem_management_homepage{"endIncluding":"7.5.5.0"}
oracle oraclecommunications_user_data_repository{"startIncluding":"10.0.0","endIncluding":"12.4"}
oracle oracleenterprise_manager_ops_center12.2.2
oracle oracleenterprise_manager_ops_center12.3.2
redhat redhatjboss_web_server2.1.0
redhat redhatjboss_enterprise_web_server2.0.0
redhat redhatjboss_enterprise_web_server3.0.0
redhat redhatjboss_core_services1.0
apache apachehttp_server{"startIncluding":"2.4.1","endIncluding":"2.4.23"}

References

Community-verified mitigations for this CVE will appear above when contributors publish them.

Verify integrity in audit chain (admin only). AS-IS.