CVE-2016-5388

Description

Apache Tomcat 7.x through 7.0.70 and 8.x through 8.5.4, when the CGI Servlet is enabled, follows RFC 3875 section 4.1.18 and therefore does not protect applications from the presence of untrusted client data in the HTTP_PROXY environment variable, which might allow remote attackers to redirect an application's outbound HTTP traffic to an arbitrary proxy server via a crafted Proxy header in an HTTP request, aka an "httpoxy" issue. NOTE: the vendor states "A mitigation is planned for future releases of Tomcat, tracked as CVE-2016-5388"; in other words, this is not a CVE ID for a vulnerability.

Am I vulnerable?

The constraints below list the versions that this vulnerability is patched in, and versions that are unaffected. If a patch is ready but unrealeased, then it is pending.

Or, you can just let us figure it out for you! Appcanary continously monitor your installed packages, and tell you if any of them are vulnerable.

Sign up for monitoring

Affected package information

Release Package Patched in
artful tomcat7 None
devel tomcat7 None
precise tomcat6 6.0.35-1ubuntu3.9
precise/esm tomcat6 6.0.35-1ubuntu3.9
trusty tomcat6 None
tomcat7 7.0.52-1ubuntu0.8
upstream tomcat7 7.0.71
tomcat8 8.0.37
xenial tomcat6 None
tomcat7 None
tomcat8 8.0.32-1ubuntu1.3

Unaffected

Release Package Reason
vivid/stable-phone-overlay tomcat6 DNE
tomcat7 DNE
tomcat8 DNE
vivid/ubuntu-core tomcat6 DNE
tomcat7 DNE
tomcat8 DNE
wily tomcat6 ignored
tomcat7 ignored
tomcat8 ignored
yakkety tomcat6 DNE
tomcat7 ignored
tomcat8 not-affected
zesty tomcat6 DNE
tomcat7 ignored
tomcat8 not-affected
artful tomcat6 DNE
tomcat8 not-affected
devel tomcat6 DNE
tomcat8 not-affected
precise tomcat7 ignored
tomcat8 DNE
precise/esm tomcat7 DNE
tomcat8 DNE
trusty tomcat8 DNE

Needs Triage

Release Package Reason
upstream tomcat6 needs-triage