CVE-2016-4694

CWE-284 — Improper Access Control5 documents4 sources

Severity

9.1CRITICAL

EPSS

1.0%

top 23.51%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Apple MAC OS X Apple OS X Server

Timeline

PublishedSep 25

Latest updateMay 17

Description

The Apache HTTP Server in Apple OS X before 10.12 and OS X Server before 5.2 follows RFC 3875 section 4.1.18 and therefore does not protect applications from the presence of untrusted CGI client data in the HTTP_PROXY environment variable, which might allow remote attackers to redirect an application's outbound HTTP traffic to an arbitrary proxy server via a crafted Proxy header in an HTTP request, aka an "httpoxy" issue, a related issue to CVE-2016-5387.

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:NExploitability: 3.9 | Impact: 5.2

Affected Packages2 packages

▶NVDapple/os_x_server5.1

▶NVDapple/mac_os_x10.11.6

🔴Vulnerability Details

GHSA

GHSA-r72m-c53q-265m: The Apache HTTP Server in Apple OS X before 10↗2022-05-17

▶

CVEList

CVE-2016-4694: The Apache HTTP Server in Apple OS X before 10↗2016-09-25

▶

📋Vendor Advisories

Apple

CVE-2016-4694: macOS Sierra 10.12↗2016-09-20

▶

Apple

CVE-2016-4694: macOS Server 5.2↗2016-09-20

▶