Staging Environment: Content and features may be unstable or change without notice.
Search for vulnerabilities
Vulnerability details: VCID-duan-fz4r-uydy
Vulnerability ID VCID-duan-fz4r-uydy
Aliases CVE-2016-5387
Summary HTTP_PROXY is a well-defined environment variable in a CGI process, which collided with a number of libraries which failed to avoid colliding with this CGI namespace. A mitigation is provided for the httpd CGI environment to avoid populating the "HTTP_PROXY" variable from a "Proxy:" header, which has never been registered by IANA. This workaround and patch are documented in the ASF Advisory at asf-httpoxy-response.txt and incorporated in the 2.4.25 and 2.2.32 releases. Note: This is not assigned an httpd severity, as it is a defect in other software which overloaded well-established CGI environment variables, and does not reflect an error in HTTP server software.
Status Published
Exploitability 0.5
Weighted Severity 4.5
Risk 2.2
Affected and Fixed Packages Package Details
Weaknesses (1)
CWE-20 Improper Input Validation
System Score Found at
cvssv3 5.0 https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2016-5387.json
epss 0.51564 https://api.first.org/data/v1/epss?cve=CVE-2016-5387
epss 0.51564 https://api.first.org/data/v1/epss?cve=CVE-2016-5387
cvssv2 5 https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
apache_httpd n/a https://httpd.apache.org/security/json/CVE-2016-5387.json
Reference id Reference type URL
https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2016-5387.json
https://api.first.org/data/v1/epss?cve=CVE-2016-5387
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5387
https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
1353755 https://bugzilla.redhat.com/show_bug.cgi?id=1353755
CVE-2016-5387 https://httpd.apache.org/security/json/CVE-2016-5387.json
GLSA-201701-36 https://security.gentoo.org/glsa/201701-36
RHSA-2016:1420 https://access.redhat.com/errata/RHSA-2016:1420
RHSA-2016:1421 https://access.redhat.com/errata/RHSA-2016:1421
RHSA-2016:1422 https://access.redhat.com/errata/RHSA-2016:1422
RHSA-2016:1625 https://access.redhat.com/errata/RHSA-2016:1625
RHSA-2016:1648 https://access.redhat.com/errata/RHSA-2016:1648
RHSA-2016:1649 https://access.redhat.com/errata/RHSA-2016:1649
RHSA-2016:1650 https://access.redhat.com/errata/RHSA-2016:1650
RHSA-2016:1851 https://access.redhat.com/errata/RHSA-2016:1851
USN-3038-1 https://usn.ubuntu.com/3038-1/
No exploits are available.
Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:L/A:N Found at https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2016-5387.json
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: AV:N/AC:L/Au:N/C:N/I:P/A:N Found at https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
Exploitability (E) Access Vector (AV) Access Complexity (AC) Authentication (Au) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

high

functional

unproven

proof_of_concept

not_defined

local

adjacent_network

network

high

medium

low

multiple

single

none

none

partial

complete

none

partial

complete

none

partial

complete
Exploit Prediction Scoring System (EPSS)
Percentile 0.97945
EPSS Score 0.51564
Published At June 4, 2026, 12:55 p.m.
Date Actor Action Source VulnerableCode Version
2026-06-02T04:53:44.955613+00:00 Apache HTTPD Importer Import https://httpd.apache.org/security/json/CVE-2016-5387.json 38.6.0