VulnerableCode Package Details - pkg:rpm/redhat/tomcat7@7.0.59-51_patch

Search for packages

Vulnerability	Summary	Fixed by
VCID-2xc4-7zg9-y7fw Aliases: CVE-2016-5387	HTTP_PROXY is a well-defined environment variable in a CGI process, which collided with a number of libraries which failed to avoid colliding with this CGI namespace. A mitigation is provided for the httpd CGI environment to avoid populating the "HTTP_PROXY" variable from a "Proxy:" header, which has never been registered by IANA. This workaround and patch are documented in the ASF Advisory at asf-httpoxy-response.txt and incorporated in the 2.4.25 and 2.2.32 releases. Note: This is not assigned an httpd severity, as it is a defect in other software which overloaded well-established CGI environment variables, and does not reflect an error in HTTP server software.	There are no reported fixed by versions.
VCID-c12c-fsy1-17ee Aliases: CVE-2016-5388 GHSA-v646-rx6w-r3qq	Apache Tomcat 7.x through 7.0.70 and 8.x through 8.5.4, when the CGI Servlet is enabled, follows RFC 3875 section 4.1.18 and therefore does not protect applications from the presence of untrusted client data in the HTTP_PROXY environment variable, which might allow remote attackers to redirect an application's outbound HTTP traffic to an arbitrary proxy server via a crafted Proxy header in an HTTP request, aka an "httpoxy" issue. NOTE: the vendor states "A mitigation is planned for future releases of Tomcat, tracked as CVE-2016-5388"; in other words, this is not a CVE ID for a vulnerability.	There are no reported fixed by versions.

Vulnerability

Summary

Fixed by

VCID-2xc4-7zg9-y7fw
Aliases:
CVE-2016-5387

HTTP_PROXY is a well-defined environment variable in a CGI process, which collided with a number of libraries which failed to avoid colliding with this CGI namespace. A mitigation is provided for the httpd CGI environment to avoid populating the "HTTP_PROXY" variable from a "Proxy:" header, which has never been registered by IANA. This workaround and patch are documented in the ASF Advisory at asf-httpoxy-response.txt and incorporated in the 2.4.25 and 2.2.32 releases. Note: This is not assigned an httpd severity, as it is a defect in other software which overloaded well-established CGI environment variables, and does not reflect an error in HTTP server software.

There are no reported fixed by versions.

VCID-c12c-fsy1-17ee
Aliases:
CVE-2016-5388
GHSA-v646-rx6w-r3qq

Apache Tomcat 7.x through 7.0.70 and 8.x through 8.5.4, when the CGI Servlet is enabled, follows RFC 3875 section 4.1.18 and therefore does not protect applications from the presence of untrusted client data in the HTTP_PROXY environment variable, which might allow remote attackers to redirect an application's outbound HTTP traffic to an arbitrary proxy server via a crafted Proxy header in an HTTP request, aka an "httpoxy" issue. NOTE: the vendor states "A mitigation is planned for future releases of Tomcat, tracked as CVE-2016-5388"; in other words, this is not a CVE ID for a vulnerability.

There are no reported fixed by versions.

Vulnerability	Summary	Aliases
This package is not known to fix vulnerabilities.

Vulnerability

Summary

Aliases

This package is not known to fix vulnerabilities.

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2026-04-01T14:35:54.509395+00:00	RedHat Importer	Affected by	VCID-c12c-fsy1-17ee	https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2016-5388.json	38.0.0
2026-04-01T14:35:53.920504+00:00	RedHat Importer	Affected by	VCID-2xc4-7zg9-y7fw	https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2016-5387.json	38.0.0

2026-04-01T14:35:54.509395+00:00

RedHat Importer

Affected by

VCID-c12c-fsy1-17ee

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2016-5388.json

38.0.0

2026-04-01T14:35:53.920504+00:00

RedHat Importer

Affected by

VCID-2xc4-7zg9-y7fw

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2016-5387.json

38.0.0

Next non-vulnerable version	None.
Latest non-vulnerable version	None.
Risk	4.0