Vulnerability CVE-2016-5386

Vulnerability Name:

CVE-2016-5386 (CCN-115089)

Assigned:

2016-07-18

Published:

2016-07-18

Updated:

2022-08-16

Summary:

The net/http package in Go through 1.6 does not attempt to address RFC 3875 section 4.1.18 namespace conflicts and therefore does not protect CGI applications from the presence of untrusted client data in the HTTP_PROXY environment variable, which might allow remote attackers to redirect a CGI application's outbound HTTP traffic to an arbitrary proxy server via a crafted Proxy header in an HTTP request, aka an "httpoxy" issue.

CVSS v3 Severity:

8.1 High (CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H)
7.1 High (Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C)

Exploitability Metrics:	Attack Vector (AV): Network Attack Complexity (AC): High Privileges Required (PR): None User Interaction (UI): None
Scope:	Scope (S): Unchanged
Impact Metrics:	Confidentiality (C): High Integrity (I): High Availibility (A): High

8.1 High (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H)
7.1 High (CCN Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C)

Exploitability Metrics:	Attack Vector (AV): Network Attack Complexity (AC): High Privileges Required (PR): None User Interaction (UI): None
Scope:	Scope (S): Unchanged
Impact Metrics:	Confidentiality (C): High Integrity (I): High Availibility (A): High

5.0 Medium (REDHAT CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:L/A:N)
4.4 Medium (REDHAT Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:L/A:N/E:U/RL:O/RC:C)

Exploitability Metrics:	Attack Vector (AV): Network Attack Complexity (AC): Low Privileges Required (PR): Low User Interaction (UI): None
Scope:	Scope (S): Changed
Impact Metrics:	Confidentiality (C): None Integrity (I): Low Availibility (A): None

CVSS v2 Severity:

6.8 Medium (CVSS v2 Vector: AV:N/AC:M/Au:N/C:P/I:P/A:P)

Exploitability Metrics:	Access Vector (AV): Network Access Complexity (AC): Medium Authentication (Au): None
Impact Metrics:	Confidentiality (C): Partial Integrity (I): Partial Availibility (A): Partial

7.6 High (CCN CVSS v2 Vector: AV:N/AC:H/Au:N/C:C/I:C/A:C)

Exploitability Metrics:	Access Vector (AV): Network Access Complexity (AC): High Athentication (Au): None
Impact Metrics:	Confidentiality (C): Complete Integrity (I): Complete Availibility (A): Complete

5.0 Medium (REDHAT CVSS v2 Vector: AV:N/AC:L/Au:N/C:N/I:P/A:N)

Exploitability Metrics:	Access Vector (AV): Network Access Complexity (AC): Low Authentication (Au): None
Impact Metrics:	Confidentiality (C): None Integrity (I): Partial Availibility (A): None

Vulnerability Type:

CWE-284
CWE-20

Vulnerability Consequences:

Gain Access

References:

Source: MITRE
Type: CNA
CVE-2016-5386

Source: CCN
Type: RHSA-2016-1538
Moderate: golang security, bug fix, and enhancement update

Source: REDHAT
Type: Third Party Advisory
RHSA-2016:1538

Source: CCN
Type: IBM Security Bulletin S1009581 (Storwize V7000 (2076))
Multiple vulnerabilities in Apache Tomcat affect SAN Volume Controller, Storwize family and FlashSystem V9000 products

Source: CCN
Type: IBM Security Bulletin S1010007 (FlashSystem 840)
Vulnerabilities in Apache Tomcat affect the IBM FlashSystem models 840 and 900

Source: CCN
Type: IBM Security Bulletin S1010008 (FlashSystem V840)
Vulnerabilities in Apache Tomcat affect the IBM FlashSystem model V840

Source: CCN
Type: US-CERT VU#797896
CGI web servers assign Proxy header values from client requests to internal HTTP_PROXY environment variables

Source: CERT-VN
Type: Third Party Advisory, US Government Resource
VU#797896

Source: CONFIRM
Type: Patch, Third Party Advisory
http://www.oracle.com/technetwork/security-advisory/cpujul2017-3236622.html

Source: CONFIRM
Type: Third Party Advisory
http://www.oracle.com/technetwork/topics/security/linuxbulletinjul2016-3090544.html

Source: CCN
Type: BID-91815
GO CVE-2016-5386 Security Bypass Vulnerability

Source: CCN
Type: Red Hat Bugzilla Bug 1353798
Go: sets environmental variable based on user supplied Proxy request header

Source: CONFIRM
Type: Issue Tracking, Third Party Advisory
https://bugzilla.redhat.com/show_bug.cgi?id=1353798

Source: XF
Type: UNKNOWN
google-go-cve20165386-redirect(115089)

Source: CCN
Type: Go Programming Language Web site
The Go Programming Language

Source: CONFIRM
Type: Third Party Advisory
https://h20566.www2.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpesbhf03770en_us

Source: CCN
Type: httpoxy Web site
httpoxy

Source: MISC
Type: Third Party Advisory
https://httpoxy.org/

Source: FEDORA
Type: Third Party Advisory
FEDORA-2016-340e361b90

Source: FEDORA
Type: Third Party Advisory
FEDORA-2016-ea5e284d34

Source: CCN
Type: WhiteSource Vulnerability Database
CVE-2016-5386

Vulnerable Configuration:

Configuration 1:

cpe:/o:fedoraproject:fedora:24:*:*:*:*:*:*:*

OR cpe:/o:fedoraproject:fedora:23:*:*:*:*:*:*:*

Configuration 2:

cpe:/o:oracle:linux:7:*:*:*:*:*:*:*

Configuration 3:

cpe:/o:redhat:enterprise_linux_server_aus:7.2:*:*:*:*:*:*:*

OR cpe:/o:redhat:enterprise_linux_server:7.0:*:*:*:*:*:*:*

OR cpe:/o:redhat:enterprise_linux_server_eus:7.2:*:*:*:*:*:*:*

Configuration 4:

cpe:/a:golang:go:*:*:*:*:*:*:*:* (Version >= 1.0 and < 1.6.3)

OR cpe:/a:golang:go:1.7:rc1:*:*:*:*:*:*

Configuration RedHat 1:

cpe:/o:redhat:enterprise_linux:7:*:*:*:*:*:*:*

Configuration RedHat 2:

cpe:/o:redhat:enterprise_linux:7::server:*:*:*:*:*

Configuration CCN 1:

cpe:/a:ibm:storwize_v7000_software:6.1:*:*:*:*:*:*:*

OR cpe:/a:ibm:storwize_v7000_software:6.2:*:*:*:*:*:*:*

OR cpe:/a:ibm:storwize_v7000_software:6.3:*:*:*:*:*:*:*

OR cpe:/a:ibm:storwize_v7000_software:6.4:*:*:*:*:*:*:*

OR cpe:/a:ibm:storwize_v7000_software:7.1:*:*:*:*:*:*:*

OR cpe:/a:ibm:storwize_v7000_software:7.2:*:*:*:*:*:*:*

OR cpe:/a:ibm:storwize_v7000_software:7.3:*:*:*:*:*:*:*

OR cpe:/a:ibm:storwize_v7000_software:7.4:*:*:*:*:*:*:*

OR cpe:/a:ibm:storwize_v7000_software:7.5:*:*:*:*:*:*:*

OR cpe:/a:ibm:storwize_v7000_software:7.6:*:*:*:*:*:*:*

OR cpe:/o:redhat:enterprise_linux_server:7:*:*:*:*:*:*:*

OR cpe:/o:redhat:enterprise_linux_server_aus:7.2:*:*:*:*:*:*:*

OR cpe:/o:redhat:enterprise_linux_server_eus:7.2:*:*:*:*:*:*:*

OR cpe:/a:ibm:storwize_v7000_software:7.6.1:*:*:*:*:*:*:*

OR cpe:/a:ibm:storwize_v7000_software:7.7:*:*:*:*:*:*:*

Denotes that component is vulnerable

Oval Definitions

Definition ID	Class	Title	Last Modified
oval:org.opensuse.security:def:20165386	V	CVE-2016-5386	2023-06-22
oval:org.opensuse.security:def:8012	P	go-1.19-150000.3.26.1 on GA media (Moderate)	2023-06-20
oval:org.opensuse.security:def:112331	P	go1.12-1.12.17-4.8 on GA media (Moderate)	2022-01-17
oval:org.opensuse.security:def:112327	P	go-1.17-1.1 on GA media (Moderate)	2022-01-17
oval:org.opensuse.security:def:112343	P	go1.4-1.4.3-12.2 on GA media (Moderate)	2022-01-17
oval:org.opensuse.security:def:112329	P	go1.10-1.10.8-8.2 on GA media (Moderate)	2022-01-17
oval:org.opensuse.security:def:112344	P	go1.9-1.9.7-11.2 on GA media (Moderate)	2022-01-17
oval:org.opensuse.security:def:112330	P	go1.11-1.11.13-10.5 on GA media (Moderate)	2022-01-17
oval:org.opensuse.security:def:105859	P	Security update for java-11-openjdk (Important)	2021-11-16
oval:org.opensuse.security:def:105858	P	Security update for tomcat (Important)	2021-11-16
oval:org.opensuse.security:def:105851	P	Security update for libvirt (Important)	2021-10-27
oval:org.opensuse.security:def:105850	P	Security update for busybox (Important)	2021-10-27
oval:org.opensuse.security:def:105852	P	go1.12-1.12.17-4.8 on GA media (Moderate)	2021-10-01
oval:org.opensuse.security:def:105848	P	go-1.17-1.1 on GA media (Moderate)	2021-10-01
oval:org.opensuse.security:def:25463	P	Security update for mailman (Important)	2020-12-01
oval:org.opensuse.security:def:25157	P	Security update for shibboleth-sp (Moderate)	2020-12-01
oval:org.opensuse.security:def:24889	P	Security update for openldap2 (Moderate)	2020-12-01
oval:org.opensuse.security:def:26320	P	Security update to go1.4 (Low)	2020-12-01
oval:org.opensuse.security:def:25604	P	Security update for the Linux Kernel (Important)	2020-12-01
oval:org.opensuse.security:def:25298	P	Security update for xerces-c (Moderate)	2020-12-01
oval:org.opensuse.security:def:24964	P	Security update for glib2 (Important)	2020-12-01
oval:org.opensuse.security:def:25662	P	Security update for apache-commons-httpclient (Important)	2020-12-01
oval:org.opensuse.security:def:25501	P	Security update for ghostscript (Important)	2020-12-01
oval:org.opensuse.security:def:25172	P	Security update for bind (Important)	2020-12-01
oval:org.opensuse.security:def:24885	P	Security update for the Linux Kernel (Important)	2020-12-01
oval:org.opensuse.security:def:26335	P	security update for go (Low)	2020-12-01
oval:org.opensuse.security:def:25603	P	Security update for java-1_8_0-openjdk (Moderate)	2020-12-01
oval:org.opensuse.security:def:25313	P	Security update for perl-DBI (Important)	2020-12-01
oval:org.opensuse.security:def:25076	P	Security update for cpio (Moderate)	2020-12-01
oval:org.opensuse.security:def:26285	P	Security update for the Linux Kernel (Critical)	2020-12-01
oval:org.opensuse.security:def:25516	P	Security update for file-roller (Moderate)	2020-12-01
oval:org.opensuse.security:def:25214	P	Security update for transfig (Low)	2020-12-01
oval:org.opensuse.security:def:24900	P	Security update for ImageMagick (Moderate)	2020-12-01
oval:org.opensuse.security:def:25618	P	Security update for python3 (Important)	2020-12-01
oval:org.opensuse.security:def:25448	P	Security update for python3 (Moderate)	2020-12-01
oval:org.opensuse.security:def:25091	P	Security update for the Linux Kernel (Important)	2020-12-01
oval:org.opensuse.security:def:24874	P	Security update for exiv2 (Moderate)	2020-12-01
oval:org.opensuse.security:def:26300	P	Security update for gimp (Moderate)	2020-12-01
oval:org.opensuse.security:def:25589	P	Security update for zabbix (Moderate)	2020-12-01
oval:org.opensuse.security:def:25229	P	Security update for dbus-1 (Important)	2020-12-01
oval:org.opensuse.security:def:24949	P	Security update for postgresql10 (Moderate)	2020-12-01
oval:org.opensuse.security:def:25647	P	Security update for freetype2 (Important)	2020-12-01
oval:com.redhat.rhsa:def:20161538	P	RHSA-2016:1538: golang security, bug fix, and enhancement update (Moderate)	2016-08-02
oval:com.ubuntu.xenial:def:201653860000000	V	CVE-2016-5386 on Ubuntu 16.04 LTS (xenial) - low.	2016-07-19
oval:com.ubuntu.precise:def:20165386000	V	CVE-2016-5386 on Ubuntu 12.04 LTS (precise) - medium.	2016-07-18
oval:com.ubuntu.trusty:def:20165386000	V	CVE-2016-5386 on Ubuntu 14.04 LTS (trusty) - low.	2016-07-18
oval:com.ubuntu.xenial:def:20165386000	V	CVE-2016-5386 on Ubuntu 16.04 LTS (xenial) - low.	2016-07-18

BACK