CVE-2016-5386 — Improper Access Control in Redhat Enterprise Linux Server

CWE-284 — Improper Access Control CWE-20 — Improper Input Validation10 documents7 sources

Severity

8.1HIGHNVD

EPSS

45.9%

top 2.36%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Golang GO Fedoraproject Fedora Oracle Linux +3 more

Timeline

PublishedJul 19

Latest updateAug 9

Description

The net/http package in Go through 1.6 does not attempt to address RFC 3875 section 4.1.18 namespace conflicts and therefore does not protect CGI applications from the presence of untrusted client data in the HTTP_PROXY environment variable, which might allow remote attackers to redirect a CGI application's outbound HTTP traffic to an arbitrary proxy server via a crafted Proxy header in an HTTP request, aka an "httpoxy" issue.

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 2.2 | Impact: 5.9

Affected Packages3 packages

▶NVDredhat/enterprise_linux_server7.0

▶NVDgolang/go1.0 — 1.6.3+1

▶NVDoracle/linux7

Also affects: Fedora 23, 24, Enterprise Linux 7.2

Patches

Patch: www.oracle.com ↗Patch: www.oracle.com ↗

🔴Vulnerability Details

OSV

Improper input validation in net/http and net/http/cgi↗2022-08-09

▶

GHSA

GHSA-9hq4-732f-9vgf: The net/http package in Go through 1↗2022-05-13

▶

CVEList

CVE-2016-5386: The net/http package in Go through 1↗2016-07-19

▶

OSV

CVE-2016-5386: The net/http package in Go through 1↗2016-07-18

▶

📋Vendor Advisories

Red Hat

Go: sets environmental variable based on user supplied Proxy request header↗2016-07-18

▶

Microsoft

▶

💬Community

Bugzilla

CVE-2016-5386 golang: Go: sets environmental variable based on user supplied Proxy request header [fedora-all]↗2016-07-18

▶

Bugzilla

CVE-2016-5386 golang: Go: sets environmental variable based on user supplied Proxy request header [epel-6]↗2016-07-18

▶

Bugzilla

CVE-2016-5386 Go: sets environmental variable based on user supplied Proxy request header↗2016-07-08

▶