Vulnerability-Lookup

CVE-2016-1000109 (GCVE-0-2016-1000109)

Vulnerability from cvelistv5 – Published: 2020-02-19 12:38 – Updated: 2024-08-06 03:55

Summary

HHVM does not attempt to address RFC 3875 section 4.1.18 namespace conflicts and therefore does not protect CGI applications from the presence of untrusted client data in the HTTP_PROXY environment variable, which might allow remote attackers to redirect a CGI application's outbound HTTP traffic to an arbitrary proxy server via a crafted Proxy header in an HTTP request, aka an "httpoxy" issue. This issue affects HHVM versions prior to 3.9.6, all versions between 3.10.0 and 3.12.4 (inclusive), and all versions between 3.13.0 and 3.14.2 (inclusive).

Severity ?

No CVSS data available.

CWE

Assigner

mitre

References

URL

GHSA-QHF2-73W2-GWFH

Vulnerability from github – Published: 2022-05-24 17:09 – Updated: 2022-05-24 17:09

Details

Show details on source website

JSON

To clipboard

{
  "affected": [],
  "aliases": [
    "CVE-2016-1000109"
  ],
  "database_specific": {
    "cwe_ids": [],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2020-02-19T13:15:00Z",
    "severity": "MODERATE"
  },
  "details": "HHVM does not attempt to address RFC 3875 section 4.1.18 namespace conflicts and therefore does not protect CGI applications from the presence of untrusted client data in the HTTP_PROXY environment variable, which might allow remote attackers to redirect a CGI application\u0026#39;s outbound HTTP traffic to an arbitrary proxy server via a crafted Proxy header in an HTTP request, aka an \u0026quot;httpoxy\u0026quot; issue. This issue affects HHVM versions prior to 3.9.6, all versions between 3.10.0 and 3.12.4 (inclusive), and all versions between 3.13.0 and 3.14.2 (inclusive).",
  "id": "GHSA-qhf2-73w2-gwfh",
  "modified": "2022-05-24T17:09:19Z",
  "published": "2022-05-24T17:09:19Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2016-1000109"
    },
    {
      "type": "WEB",
      "url": "https://github.com/facebook/hhvm/commit/423b4b719afd5ef4e6e19d8447fbf7b6bc0d0a25"
    },
    {
      "type": "WEB",
      "url": "https://httpoxy.org"
    },
    {
      "type": "WEB",
      "url": "https://www.facebook.com/security/advisories/cve-2016-1000109"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GSD-2016-1000109

Vulnerability from gsd - Updated: 2023-12-13 01:21

Details

Aliases

CVE-2016-1000109

Aliases

CVE-2016-1000109

JSON

To clipboard

{
  "GSD": {
    "alias": "CVE-2016-1000109",
    "description": "HHVM does not attempt to address RFC 3875 section 4.1.18 namespace conflicts and therefore does not protect CGI applications from the presence of untrusted client data in the HTTP_PROXY environment variable, which might allow remote attackers to redirect a CGI application\u0027s outbound HTTP traffic to an arbitrary proxy server via a crafted Proxy header in an HTTP request, aka an \"httpoxy\" issue. This issue affects HHVM versions prior to 3.9.6, all versions between 3.10.0 and 3.12.4 (inclusive), and all versions between 3.13.0 and 3.14.2 (inclusive).",
    "id": "GSD-2016-1000109"
  },
  "gsd": {
    "metadata": {
      "exploitCode": "unknown",
      "remediation": "unknown",
      "reportConfidence": "confirmed",
      "type": "vulnerability"
    },
    "osvSchema": {
      "aliases": [
        "CVE-2016-1000109"
      ],
      "details": "HHVM does not attempt to address RFC 3875 section 4.1.18 namespace conflicts and therefore does not protect CGI applications from the presence of untrusted client data in the HTTP_PROXY environment variable, which might allow remote attackers to redirect a CGI application\u0027s outbound HTTP traffic to an arbitrary proxy server via a crafted Proxy header in an HTTP request, aka an \"httpoxy\" issue. This issue affects HHVM versions prior to 3.9.6, all versions between 3.10.0 and 3.12.4 (inclusive), and all versions between 3.13.0 and 3.14.2 (inclusive).",
      "id": "GSD-2016-1000109",
      "modified": "2023-12-13T01:21:18.040956Z",
      "schema_version": "1.4.0"
    }
  },
  "namespaces": {
    "cve.org": {
      "CVE_data_meta": {
        "ASSIGNER": "cve@mitre.org",
        "DATE_ASSIGNED": "2016-07-17",
        "ID": "CVE-2016-1000109",
        "STATE": "PUBLIC"
      },
      "affects": {
        "vendor": {
          "vendor_data": [
            {
              "product": {
                "product_data": [
                  {
                    "product_name": "n/a",
                    "version": {
                      "version_data": [
                        {
                          "version_value": "n/a"
                        }
                      ]
                    }
                  }
                ]
              },
              "vendor_name": "n/a"
            }
          ]
        }
      },
      "data_format": "MITRE",
      "data_type": "CVE",
      "data_version": "4.0",
      "description": {
        "description_data": [
          {
            "lang": "eng",
            "value": "HHVM does not attempt to address RFC 3875 section 4.1.18 namespace conflicts and therefore does not protect CGI applications from the presence of untrusted client data in the HTTP_PROXY environment variable, which might allow remote attackers to redirect a CGI application\u0027s outbound HTTP traffic to an arbitrary proxy server via a crafted Proxy header in an HTTP request, aka an \"httpoxy\" issue. This issue affects HHVM versions prior to 3.9.6, all versions between 3.10.0 and 3.12.4 (inclusive), and all versions between 3.13.0 and 3.14.2 (inclusive)."
          }
        ]
      },
      "problemtype": {
        "problemtype_data": [
          {
            "description": [
              {
                "lang": "eng",
                "value": "n/a"
              }
            ]
          }
        ]
      },
      "references": {
        "reference_data": [
          {
            "name": "https://httpoxy.org/",
            "refsource": "MISC",
            "url": "https://httpoxy.org/"
          },
          {
            "name": "https://github.com/facebook/hhvm/commit/423b4b719afd5ef4e6e19d8447fbf7b6bc0d0a25",
            "refsource": "CONFIRM",
            "url": "https://github.com/facebook/hhvm/commit/423b4b719afd5ef4e6e19d8447fbf7b6bc0d0a25"
          },
          {
            "name": "https://www.facebook.com/security/advisories/cve-2016-1000109",
            "refsource": "CONFIRM",
            "url": "https://www.facebook.com/security/advisories/cve-2016-1000109"
          }
        ]
      }
    },
    "nvd.nist.gov": {
      "configurations": {
        "CVE_data_version": "4.0",
        "nodes": [
          {
            "children": [],
            "cpe_match": [
              {
                "cpe23Uri": "cpe:2.3:a:facebook:hhvm:*:*:*:*:*:*:*:*",
                "cpe_name": [],
                "versionEndExcluding": "3.9.6",
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:facebook:hhvm:*:*:*:*:*:*:*:*",
                "cpe_name": [],
                "versionEndIncluding": "3.12.4",
                "versionStartIncluding": "3.10.0",
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:facebook:hhvm:*:*:*:*:*:*:*:*",
                "cpe_name": [],
                "versionEndIncluding": "3.14.2",
                "versionStartIncluding": "3.13.0",
                "vulnerable": true
              }
            ],
            "operator": "OR"
          }
        ]
      },
      "cve": {
        "CVE_data_meta": {
          "ASSIGNER": "cve@mitre.org",
          "ID": "CVE-2016-1000109"
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "en",
              "value": "HHVM does not attempt to address RFC 3875 section 4.1.18 namespace conflicts and therefore does not protect CGI applications from the presence of untrusted client data in the HTTP_PROXY environment variable, which might allow remote attackers to redirect a CGI application\u0027s outbound HTTP traffic to an arbitrary proxy server via a crafted Proxy header in an HTTP request, aka an \"httpoxy\" issue. This issue affects HHVM versions prior to 3.9.6, all versions between 3.10.0 and 3.12.4 (inclusive), and all versions between 3.13.0 and 3.14.2 (inclusive)."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "en",
                  "value": "CWE-665"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://github.com/facebook/hhvm/commit/423b4b719afd5ef4e6e19d8447fbf7b6bc0d0a25",
              "refsource": "CONFIRM",
              "tags": [
                "Patch",
                "Third Party Advisory"
              ],
              "url": "https://github.com/facebook/hhvm/commit/423b4b719afd5ef4e6e19d8447fbf7b6bc0d0a25"
            },
            {
              "name": "https://www.facebook.com/security/advisories/cve-2016-1000109",
              "refsource": "CONFIRM",
              "tags": [
                "Third Party Advisory"
              ],
              "url": "https://www.facebook.com/security/advisories/cve-2016-1000109"
            },
            {
              "name": "https://httpoxy.org/",
              "refsource": "MISC",
              "tags": [
                "Exploit",
                "Mitigation",
                "Third Party Advisory"
              ],
              "url": "https://httpoxy.org/"
            }
          ]
        }
      },
      "impact": {
        "baseMetricV2": {
          "acInsufInfo": false,
          "cvssV2": {
            "accessComplexity": "LOW",
            "accessVector": "NETWORK",
            "authentication": "NONE",
            "availabilityImpact": "NONE",
            "baseScore": 5.0,
            "confidentialityImpact": "NONE",
            "integrityImpact": "PARTIAL",
            "vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N",
            "version": "2.0"
          },
          "exploitabilityScore": 10.0,
          "impactScore": 2.9,
          "obtainAllPrivilege": false,
          "obtainOtherPrivilege": false,
          "obtainUserPrivilege": false,
          "severity": "MEDIUM",
          "userInteractionRequired": false
        },
        "baseMetricV3": {
          "cvssV3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 5.3,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "NONE",
            "integrityImpact": "LOW",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
            "version": "3.1"
          },
          "exploitabilityScore": 3.9,
          "impactScore": 1.4
        }
      },
      "lastModifiedDate": "2020-03-06T18:45Z",
      "publishedDate": "2020-02-19T13:15Z"
    }
  }
}

FKIE_CVE-2016-1000109

Vulnerability from fkie_nvd - Published: 2020-02-19 13:15 - Updated: 2024-11-21 02:42

Severity ?

5.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

Summary

References

URL	Tags
cve@mitre.org	https://github.com/facebook/hhvm/commit/423b4b719afd5ef4e6e19d8447fbf7b6bc0d0a25	Patch, Third Party Advisory
cve@mitre.org	https://httpoxy.org/	Exploit, Mitigation, Third Party Advisory
cve@mitre.org	https://www.facebook.com/security/advisories/cve-2016-1000109	Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	https://github.com/facebook/hhvm/commit/423b4b719afd5ef4e6e19d8447fbf7b6bc0d0a25	Patch, Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	https://httpoxy.org/	Exploit, Mitigation, Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	https://www.facebook.com/security/advisories/cve-2016-1000109	Third Party Advisory

Impacted products

Vendor	Product	Version
facebook	hhvm	*
facebook	hhvm	*
facebook	hhvm	*

JSON

To clipboard

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:facebook:hhvm:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "A60E75B9-EE8F-44ED-8E49-044B7AE45F0E",
              "versionEndExcluding": "3.9.6",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:facebook:hhvm:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "903C1991-8D3D-42FA-B53F-067A890F2119",
              "versionEndIncluding": "3.12.4",
              "versionStartIncluding": "3.10.0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:facebook:hhvm:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "62F812F3-F2B5-4AC7-A8D8-9A56B2333ABC",
              "versionEndIncluding": "3.14.2",
              "versionStartIncluding": "3.13.0",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "HHVM does not attempt to address RFC 3875 section 4.1.18 namespace conflicts and therefore does not protect CGI applications from the presence of untrusted client data in the HTTP_PROXY environment variable, which might allow remote attackers to redirect a CGI application\u0027s outbound HTTP traffic to an arbitrary proxy server via a crafted Proxy header in an HTTP request, aka an \"httpoxy\" issue. This issue affects HHVM versions prior to 3.9.6, all versions between 3.10.0 and 3.12.4 (inclusive), and all versions between 3.13.0 and 3.14.2 (inclusive)."
    },
    {
      "lang": "es",
      "value": "HHVM no intenta abordar los conflictos de espacio de nombres de RFC 3875 section versi\u00f3n 4.1.18 y, por lo tanto, no protege las aplicaciones CGI de la presencia de datos de clientes no confiables en la variable de entorno HTTP_PROXY, lo que podr\u00eda permitir a atacantes remotos redireccionar el tr\u00e1fico HTTP saliente de una aplicaci\u00f3n CGI hacia un servidor proxy arbitrario por medio de un encabezado Proxy dise\u00f1ado en una petici\u00f3n HTTP, tambi\u00e9n se conoce como un problema \"httpoxy\". Este problema afecta a las versiones HHVM anteriores a 3.9.6, todas las versiones entre 3.10.0 y 3.12.4 (inclusive), y todas las versiones entre 3.13.0 y 3.14.2 (inclusive)."
    }
  ],
  "id": "CVE-2016-1000109",
  "lastModified": "2024-11-21T02:42:52.540",
  "metrics": {
    "cvssMetricV2": [
      {
        "acInsufInfo": false,
        "baseSeverity": "MEDIUM",
        "cvssData": {
          "accessComplexity": "LOW",
          "accessVector": "NETWORK",
          "authentication": "NONE",
          "availabilityImpact": "NONE",
          "baseScore": 5.0,
          "confidentialityImpact": "NONE",
          "integrityImpact": "PARTIAL",
          "vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N",
          "version": "2.0"
        },
        "exploitabilityScore": 10.0,
        "impactScore": 2.9,
        "obtainAllPrivilege": false,
        "obtainOtherPrivilege": false,
        "obtainUserPrivilege": false,
        "source": "nvd@nist.gov",
        "type": "Primary",
        "userInteractionRequired": false
      }
    ],
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 5.3,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "NONE",
          "integrityImpact": "LOW",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
          "version": "3.1"
        },
        "exploitabilityScore": 3.9,
        "impactScore": 1.4,
        "source": "nvd@nist.gov",
        "type": "Primary"
      }
    ]
  },
  "published": "2020-02-19T13:15:10.900",
  "references": [
    {
      "source": "cve@mitre.org",
      "tags": [
        "Patch",
        "Third Party Advisory"
      ],
      "url": "https://github.com/facebook/hhvm/commit/423b4b719afd5ef4e6e19d8447fbf7b6bc0d0a25"
    },
    {
      "source": "cve@mitre.org",
      "tags": [
        "Exploit",
        "Mitigation",
        "Third Party Advisory"
      ],
      "url": "https://httpoxy.org/"
    },
    {
      "source": "cve@mitre.org",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://www.facebook.com/security/advisories/cve-2016-1000109"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Patch",
        "Third Party Advisory"
      ],
      "url": "https://github.com/facebook/hhvm/commit/423b4b719afd5ef4e6e19d8447fbf7b6bc0d0a25"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Exploit",
        "Mitigation",
        "Third Party Advisory"
      ],
      "url": "https://httpoxy.org/"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://www.facebook.com/security/advisories/cve-2016-1000109"
    }
  ],
  "sourceIdentifier": "cve@mitre.org",
  "vulnStatus": "Modified",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-665"
        }
      ],
      "source": "nvd@nist.gov",
      "type": "Primary"
    }
  ]
}

WID-SEC-W-2025-2522

Vulnerability from csaf_certbund - Published: 2016-07-18 22:00 - Updated: 2025-11-10 23:00

Summary

Mehrere Webserver: Schwachstelle ermöglicht Umgehen von Sicherheitsvorkehrungen

Notes

Das BSI ist als Anbieter für die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch dafür verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgfältig im Einzelfall zu prüfen.

Produktbeschreibung

PHP ist eine Programmiersprache, die zur Implementierung von Web-Applikationen genutzt wird. Apache Tomcat ist ein Web-Applikationsserver für verschiedene Plattformen. Apache ist ein Webserver für verschiedene Plattformen. Python ist eine universelle, üblicherweise interpretierte höhere Programmiersprache.

Angriff

Ein entfernter, anonymer Angreifer kann eine Schwachstelle in mehreren Webserver Produkten ausnutzen, um Sicherheitsvorkehrungen zu umgehen.

Betroffene Betriebssysteme

- Linux - UNIX - Windows

JSON

To clipboard

{
  "document": {
    "aggregate_severity": {
      "text": "hoch"
    },
    "category": "csaf_base",
    "csaf_version": "2.0",
    "distribution": {
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "de-DE",
    "notes": [
      {
        "category": "legal_disclaimer",
        "text": "Das BSI ist als Anbieter f\u00fcr die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch daf\u00fcr verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgf\u00e4ltig im Einzelfall zu pr\u00fcfen."
      },
      {
        "category": "description",
        "text": "PHP ist eine Programmiersprache, die zur Implementierung von Web-Applikationen genutzt wird.\r\nApache Tomcat ist ein Web-Applikationsserver f\u00fcr verschiedene Plattformen.\r\nApache ist ein Webserver f\u00fcr verschiedene Plattformen.\r\nPython ist eine universelle, \u00fcblicherweise interpretierte h\u00f6here Programmiersprache.",
        "title": "Produktbeschreibung"
      },
      {
        "category": "summary",
        "text": "Ein entfernter, anonymer Angreifer kann eine Schwachstelle in mehreren Webserver Produkten ausnutzen, um Sicherheitsvorkehrungen zu umgehen.",
        "title": "Angriff"
      },
      {
        "category": "general",
        "text": "- Linux\n- UNIX\n- Windows",
        "title": "Betroffene Betriebssysteme"
      }
    ],
    "publisher": {
      "category": "other",
      "contact_details": "csaf-provider@cert-bund.de",
      "name": "Bundesamt f\u00fcr Sicherheit in der Informationstechnik",
      "namespace": "https://www.bsi.bund.de"
    },
    "references": [
      {
        "category": "self",
        "summary": "WID-SEC-W-2025-2522 - CSAF Version",
        "url": "https://wid.cert-bund.de/.well-known/csaf/white/2016/wid-sec-w-2025-2522.json"
      },
      {
        "category": "self",
        "summary": "WID-SEC-2025-2522 - Portal Version",
        "url": "https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2025-2522"
      },
      {
        "category": "external",
        "summary": "Meldung auf httpoxy.org vom 2016-07-18",
        "url": "https://httpoxy.org/"
      },
      {
        "category": "external",
        "summary": "Cert.org Vulnerability Note VU#797896 vom 2016-07-18",
        "url": "http://www.kb.cert.org/vuls/id/797896"
      },
      {
        "category": "external",
        "summary": "Microsoft Knowledge Base article #3179800 vom 2016-07-18",
        "url": "https://support.microsoft.com/en-us/kb/3179800"
      },
      {
        "category": "external",
        "summary": "Meldung auf nginx.com vom 2016-07-18",
        "url": "https://www.nginx.com/blog/mitigating-the-httpoxy-vulnerability-with-nginx/"
      },
      {
        "category": "external",
        "summary": "Meldung auf Apache.org vom 2016-07-18",
        "url": "https://www.apache.org/security/asf-httpoxy-response.txt"
      },
      {
        "category": "external",
        "summary": "Ubuntu Security Notice USN-3038-1 vom 2016-07-18",
        "url": "http://www.ubuntu.com/usn/usn-3038-1/"
      },
      {
        "category": "external",
        "summary": "Red Hat Security Advisory RHSA-2016:1420 vom 2016-07-18",
        "url": "https://access.redhat.com/errata/RHSA-2016:1420"
      },
      {
        "category": "external",
        "summary": "Red Hat Security Advisory RHSA-2016:1421 vom 2016-07-18",
        "url": "https://access.redhat.com/errata/RHSA-2016:1421"
      },
      {
        "category": "external",
        "summary": "Red Hat Bugzilla #1353755 vom 2016-07-18",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-5387"
      },
      {
        "category": "external",
        "summary": "Debian Security Tracker CVE-2016-5387 vom 2016-07-18",
        "url": "https://security-tracker.debian.org/tracker/CVE-2016-5387"
      },
      {
        "category": "external",
        "summary": "Meldung auf der oss-sec Mailliste vom 2016-07-19",
        "url": "http://seclists.org/oss-sec/2016/q3/94"
      },
      {
        "category": "external",
        "summary": "CentOS Announce CESA-2016:1421 vom 2016-07-18",
        "url": "http://permalink.gmane.org/gmane.linux.centos.announce/9976"
      },
      {
        "category": "external",
        "summary": "CentOS Announce CESA-2016:1422 vom 2016-07-18",
        "url": "http://permalink.gmane.org/gmane.linux.centos.announce/9975"
      },
      {
        "category": "external",
        "summary": "Meldung auf der oss-sec Mailliste vom 2016-07-19",
        "url": "http://seclists.org/oss-sec/2016/q3/95"
      },
      {
        "category": "external",
        "summary": "Typo3 Core Security Advisory typo3-core-sa-2016-019 vom 2016-07-19",
        "url": "https://typo3.org/teams/security/security-bulletins/typo3-core/typo3-core-sa-2016-019/"
      },
      {
        "category": "external",
        "summary": "Debian Security Advisory DSA-3623-1 vom 2016-07-20",
        "url": "https://lists.debian.org/debian-security-announce/2016/msg00201.html"
      },
      {
        "category": "external",
        "summary": "SUSE Patch vom 2016-07-20",
        "url": "https://download.suse.com/patch/finder/?keywords=a513b952ed04bce0c2391eb2ba3b9f2c"
      },
      {
        "category": "external",
        "summary": "Debian Security Advisory DSA-3631 vom 2016-07-27",
        "url": "https://www.debian.org/security/2016/dsa-3631"
      },
      {
        "category": "external",
        "summary": "Ubuntu Security Notice USN-3045-1 vom 2016-08-02",
        "url": "http://www.ubuntu.com/usn/usn-3045-1/"
      },
      {
        "category": "external",
        "summary": "Red Hat Security Advisory RHSA-2016:1538 vom 2016-08-03",
        "url": "https://rhn.redhat.com/errata/RHSA-2016-1538.html"
      },
      {
        "category": "external",
        "summary": "Unify Security Advisory Report - OBSO-1607-01 vom 2016-07-27",
        "url": "https://networks.unify.com/security/advisories/OBSO-1607-01.pdf"
      },
      {
        "category": "external",
        "summary": "Red Hat Security Advisory RHSA-2016:1609 vom 2016-08-12",
        "url": "https://rhn.redhat.com/errata/RHSA-2016-1609.html"
      },
      {
        "category": "external",
        "summary": "Red Hat Security Advisory RHSA-2016:1610 vom 2016-08-12",
        "url": "https://rhn.redhat.com/errata/RHSA-2016-1610.html"
      },
      {
        "category": "external",
        "summary": "Red Hat Security Advisory RHSA-2016:1611 vom 2016-08-12",
        "url": "https://rhn.redhat.com/errata/RHSA-2016-1611.html"
      },
      {
        "category": "external",
        "summary": "Red Hat Security Advisory RHSA-2016:1612 vom 2016-08-12",
        "url": "https://rhn.redhat.com/errata/RHSA-2016-1612.html"
      },
      {
        "category": "external",
        "summary": "Red Hat Security Advisory RHSA-2016:1613 vom 2016-08-12",
        "url": "https://rhn.redhat.com/errata/RHSA-2016-1613.html"
      },
      {
        "category": "external",
        "summary": "SUSE Security Update SUSE-SU-2016:2090 vom 2016-08-17",
        "url": "http://lists.suse.com/pipermail/sle-security-updates/2016-August/002213.html"
      },
      {
        "category": "external",
        "summary": "RedHat Security Advisory RHSA-2016-1624",
        "url": "https://rhn.redhat.com/errata/RHSA-2016-1624.html"
      },
      {
        "category": "external",
        "summary": "RedHat Security Advisory RHSA-2016-1625",
        "url": "https://rhn.redhat.com/errata/RHSA-2016-1625.html"
      },
      {
        "category": "external",
        "summary": "Red Hat Security Advisory RHSA-2016:1630-1 vom 2016-08-18",
        "url": "http://rhn.redhat.com/errata/RHSA-2016-1630.html"
      },
      {
        "category": "external",
        "summary": "Red Hat Security Advisory RHSA-2016:1629-1 vom 2016-08-18",
        "url": "http://rhn.redhat.com/errata/RHSA-2016-1629.html"
      },
      {
        "category": "external",
        "summary": "Red Hat Security Advisory RHSA-2016:1628-1 vom 2016-08-18",
        "url": "http://rhn.redhat.com/errata/RHSA-2016-1628.html"
      },
      {
        "category": "external",
        "summary": "Red Hat Security Advisory RHSA-2016:1627-1 vom 2016-08-18",
        "url": "http://rhn.redhat.com/errata/RHSA-2016-1627.html"
      },
      {
        "category": "external",
        "summary": "Red Hat Security Advisory RHSA-2016:1626-1 vom 2016-08-18",
        "url": "http://rhn.redhat.com/errata/RHSA-2016-1626.html"
      },
      {
        "category": "external",
        "summary": "SUSE Security Update SUSE-SU-2016:2106-1 vom 2016-08-19",
        "url": "http://lists.suse.com/pipermail/sle-security-updates/2016-August/002219.html"
      },
      {
        "category": "external",
        "summary": "Red Hat Security Advisory RHSA-2016:1650-1 vom 2016-08-22",
        "url": "https://rhn.redhat.com/errata/RHSA-2016-1650.html"
      },
      {
        "category": "external",
        "summary": "Red Hat Security Advisory RHSA-2016:1649-1 vom 2016-08-22",
        "url": "https://rhn.redhat.com/errata/RHSA-2016-1649.html"
      },
      {
        "category": "external",
        "summary": "Red Hat Security Advisory RHSA-2016:1648-1 vom 2016-08-22",
        "url": "https://rhn.redhat.com/errata/RHSA-2016-1648.html"
      },
      {
        "category": "external",
        "summary": "SUSE Security Update SUSE-SU-2016:2188-1 vom 2016-09-03",
        "url": "https://www.suse.com/support/update/announcement/2016/suse-su-20162188-1.html"
      },
      {
        "category": "external",
        "summary": "SUSE Security Update SUSE-SU-2016:2229-1 vom 2016-09-07",
        "url": "https://www.suse.com/support/update/announcement/2016/suse-su-20162229-1.html"
      },
      {
        "category": "external",
        "summary": "SUSE Security Update SUSE-SU-2016:2270-1 vom 2016-09-10",
        "url": "https://www.suse.com/support/update/announcement/2016/suse-su-20162270-1.html"
      },
      {
        "category": "external",
        "summary": "Red Hat Security Advisory RHSA-2016:1978 vom 2016-09-30",
        "url": "https://access.redhat.com/errata/RHSA-2016:1978"
      },
      {
        "category": "external",
        "summary": "SUSE Security Update SUSE-SU-2016:2653-1 vom 2016-10-26",
        "url": "https://www.suse.com/support/update/announcement/2016/suse-su-20162653-1.html"
      },
      {
        "category": "external",
        "summary": "HP Security Bulletin HPSBUX03665 vom 2016-11-07",
        "url": "https://h20564.www2.hpe.com/hpsc/doc/public/display?docId=emr_na-c05324759"
      },
      {
        "category": "external",
        "summary": "Oracle Linux Security Advisory ELSA-2016-2586 vom 2016-11-09",
        "url": "http://linux.oracle.com/errata/ELSA-2016-2586.html"
      },
      {
        "category": "external",
        "summary": "Oracle Linux Security Advisory ELSA-2016-2598 vom 2016-11-09",
        "url": "http://linux.oracle.com/errata/ELSA-2016-2598.html"
      },
      {
        "category": "external",
        "summary": "SUSE Security Update SUSE-SU-2016:2859-1 vom 2016-11-18",
        "url": "https://www.suse.com/support/update/announcement/2016/suse-su-20162859-1.html"
      },
      {
        "category": "external",
        "summary": "Ubuntu Security Notice USN-3134-1 vom 2016-11-23",
        "url": "http://www.ubuntu.com/usn/usn-3134-1/"
      },
      {
        "category": "external",
        "summary": "Eintrag auf Apache.org",
        "url": "http://httpd.apache.org/security/vulnerabilities_24.html"
      },
      {
        "category": "external",
        "summary": "SUSE Security Update SUSE-SU-2017:0114-1 vom 2017-01-12",
        "url": "https://www.suse.com/support/update/announcement/2017/suse-su-20170114-1.html"
      },
      {
        "category": "external",
        "summary": "SUSE Security Update SUSE-SU-2017:0190-1 vom 2017-01-18",
        "url": "https://www.suse.com/support/update/announcement/2017/suse-su-20170190-1.html"
      },
      {
        "category": "external",
        "summary": "Ubuntu Security Notice USN-3177-1 vom 2017-01-23",
        "url": "http://www.ubuntu.com/usn/usn-3177-1/"
      },
      {
        "category": "external",
        "summary": "Ubuntu Security Notice USN-3177-2 vom 2017-02-02",
        "url": "http://www.ubuntu.com/usn/usn-3177-2/"
      },
      {
        "category": "external",
        "summary": "SUSE Security Update SUSE-SU-2017:1632-1 vom 2017-06-21",
        "url": "https://lists.opensuse.org/opensuse-security-announce/2017-06/msg00025.html"
      },
      {
        "category": "external",
        "summary": "SUSE Security Update SUSE-SU-2017:1660-1 vom 2017-06-24",
        "url": "https://www.suse.com/support/update/announcement/2017/suse-su-20171660-1.html"
      },
      {
        "category": "external",
        "summary": "Red Hat Security Advisory RHSA-2018:0273 vom 2018-02-05",
        "url": "https://access.redhat.com/errata/RHSA-2018:0273"
      },
      {
        "category": "external",
        "summary": "Dell/EMC Knowledge Base Article: 000529947",
        "url": "https://support.emc.com/kb/529947"
      },
      {
        "category": "external",
        "summary": "SUSE Security Update SUSE-SU-2019:0223-1 vom 2019-02-01",
        "url": "https://www.suse.com/support/update/announcement/2019/suse-su-20190223-1.html"
      },
      {
        "category": "external",
        "summary": "openSUSE Security Update OPENSUSE-SU-2025:15706-1 vom 2025-11-07",
        "url": "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/J2YFYRHG3D4WKV5P6XA25CFPNSEBUKHC/"
      }
    ],
    "source_lang": "en-US",
    "title": "Mehrere Webserver: Schwachstelle erm\u00f6glicht Umgehen von Sicherheitsvorkehrungen",
    "tracking": {
      "current_release_date": "2025-11-10T23:00:00.000+00:00",
      "generator": {
        "date": "2025-11-11T06:37:21.182+00:00",
        "engine": {
          "name": "BSI-WID",
          "version": "1.4.0"
        }
      },
      "id": "WID-SEC-W-2025-2522",
      "initial_release_date": "2016-07-18T22:00:00.000+00:00",
      "revision_history": [
        {
          "date": "2016-07-18T22:00:00.000+00:00",
          "number": "1",
          "summary": "Initial Release"
        },
        {
          "date": "2016-07-18T22:00:00.000+00:00",
          "number": "2",
          "summary": "Version nicht vorhanden"
        },
        {
          "date": "2016-07-18T22:00:00.000+00:00",
          "number": "3",
          "summary": "Version nicht vorhanden"
        },
        {
          "date": "2016-07-18T22:00:00.000+00:00",
          "number": "4",
          "summary": "Version nicht vorhanden"
        },
        {
          "date": "2016-07-19T22:00:00.000+00:00",
          "number": "5",
          "summary": "New remediations available"
        },
        {
          "date": "2016-07-20T22:00:00.000+00:00",
          "number": "6",
          "summary": "New remediations available"
        },
        {
          "date": "2016-07-20T22:00:00.000+00:00",
          "number": "7",
          "summary": "Version nicht vorhanden"
        },
        {
          "date": "2016-07-27T22:00:00.000+00:00",
          "number": "8",
          "summary": "New remediations available"
        },
        {
          "date": "2016-07-27T22:00:00.000+00:00",
          "number": "9",
          "summary": "Version nicht vorhanden"
        },
        {
          "date": "2016-08-02T22:00:00.000+00:00",
          "number": "10",
          "summary": "New remediations available"
        },
        {
          "date": "2016-08-02T22:00:00.000+00:00",
          "number": "11",
          "summary": "New remediations available"
        },
        {
          "date": "2016-08-02T22:00:00.000+00:00",
          "number": "12",
          "summary": "Version nicht vorhanden"
        },
        {
          "date": "2016-08-11T22:00:00.000+00:00",
          "number": "13",
          "summary": "New remediations available"
        },
        {
          "date": "2016-08-11T22:00:00.000+00:00",
          "number": "14",
          "summary": "Version nicht vorhanden"
        },
        {
          "date": "2016-08-11T22:00:00.000+00:00",
          "number": "15",
          "summary": "Version nicht vorhanden"
        },
        {
          "date": "2016-08-11T22:00:00.000+00:00",
          "number": "16",
          "summary": "Version nicht vorhanden"
        },
        {
          "date": "2016-08-11T22:00:00.000+00:00",
          "number": "17",
          "summary": "Version nicht vorhanden"
        },
        {
          "date": "2016-08-17T22:00:00.000+00:00",
          "number": "18",
          "summary": "New remediations available"
        },
        {
          "date": "2016-08-17T22:00:00.000+00:00",
          "number": "19",
          "summary": "New remediations available"
        },
        {
          "date": "2016-08-17T22:00:00.000+00:00",
          "number": "20",
          "summary": "New remediations available"
        },
        {
          "date": "2016-08-18T22:00:00.000+00:00",
          "number": "21",
          "summary": "New remediations available"
        },
        {
          "date": "2016-08-18T22:00:00.000+00:00",
          "number": "22",
          "summary": "Version nicht vorhanden"
        },
        {
          "date": "2016-08-21T22:00:00.000+00:00",
          "number": "23",
          "summary": "New remediations available"
        },
        {
          "date": "2016-08-21T22:00:00.000+00:00",
          "number": "24",
          "summary": "Version nicht vorhanden"
        },
        {
          "date": "2016-08-22T22:00:00.000+00:00",
          "number": "25",
          "summary": "New remediations available"
        },
        {
          "date": "2016-08-22T22:00:00.000+00:00",
          "number": "26",
          "summary": "Version nicht vorhanden"
        },
        {
          "date": "2016-08-22T22:00:00.000+00:00",
          "number": "27",
          "summary": "Version nicht vorhanden"
        },
        {
          "date": "2016-09-04T22:00:00.000+00:00",
          "number": "28",
          "summary": "New remediations available"
        },
        {
          "date": "2016-09-04T22:00:00.000+00:00",
          "number": "29",
          "summary": "Version nicht vorhanden"
        },
        {
          "date": "2016-09-06T22:00:00.000+00:00",
          "number": "30",
          "summary": "New remediations available"
        },
        {
          "date": "2016-09-11T22:00:00.000+00:00",
          "number": "31",
          "summary": "New remediations available"
        },
        {
          "date": "2016-10-03T22:00:00.000+00:00",
          "number": "32",
          "summary": "New remediations available"
        },
        {
          "date": "2016-10-03T22:00:00.000+00:00",
          "number": "33",
          "summary": "Version nicht vorhanden"
        },
        {
          "date": "2016-10-03T22:00:00.000+00:00",
          "number": "34",
          "summary": "Version nicht vorhanden"
        },
        {
          "date": "2016-10-03T22:00:00.000+00:00",
          "number": "35",
          "summary": "Version nicht vorhanden"
        },
        {
          "date": "2016-10-03T22:00:00.000+00:00",
          "number": "36",
          "summary": "Version nicht vorhanden"
        },
        {
          "date": "2016-10-03T22:00:00.000+00:00",
          "number": "37",
          "summary": "Version nicht vorhanden"
        },
        {
          "date": "2016-10-26T22:00:00.000+00:00",
          "number": "38",
          "summary": "New remediations available"
        },
        {
          "date": "2016-11-06T23:00:00.000+00:00",
          "number": "39",
          "summary": "New remediations available"
        },
        {
          "date": "2016-11-06T23:00:00.000+00:00",
          "number": "40",
          "summary": "Version nicht vorhanden"
        },
        {
          "date": "2016-11-09T23:00:00.000+00:00",
          "number": "41",
          "summary": "New remediations available"
        },
        {
          "date": "2016-11-20T23:00:00.000+00:00",
          "number": "42",
          "summary": "New remediations available"
        },
        {
          "date": "2016-11-22T23:00:00.000+00:00",
          "number": "43",
          "summary": "New remediations available"
        },
        {
          "date": "2016-11-22T23:00:00.000+00:00",
          "number": "44",
          "summary": "Version nicht vorhanden"
        },
        {
          "date": "2016-12-20T23:00:00.000+00:00",
          "number": "45",
          "summary": "New remediations available"
        },
        {
          "date": "2017-01-12T23:00:00.000+00:00",
          "number": "46",
          "summary": "New remediations available"
        },
        {
          "date": "2017-01-18T23:00:00.000+00:00",
          "number": "47",
          "summary": "New remediations available"
        },
        {
          "date": "2017-01-23T23:00:00.000+00:00",
          "number": "48",
          "summary": "New remediations available"
        },
        {
          "date": "2017-02-02T23:00:00.000+00:00",
          "number": "49",
          "summary": "New remediations available"
        },
        {
          "date": "2017-06-20T22:00:00.000+00:00",
          "number": "50",
          "summary": "New remediations available"
        },
        {
          "date": "2017-06-20T22:00:00.000+00:00",
          "number": "51",
          "summary": "New remediations available"
        },
        {
          "date": "2017-06-20T22:00:00.000+00:00",
          "number": "52",
          "summary": "Version nicht vorhanden"
        },
        {
          "date": "2017-06-26T22:00:00.000+00:00",
          "number": "53",
          "summary": "New remediations available"
        },
        {
          "date": "2017-08-07T22:00:00.000+00:00",
          "number": "54",
          "summary": "Added references"
        },
        {
          "date": "2019-01-30T23:00:00.000+00:00",
          "number": "55",
          "summary": "Neue Updates von EMC aufgenommen"
        },
        {
          "date": "2019-02-03T23:00:00.000+00:00",
          "number": "56",
          "summary": "Neue Updates von SUSE aufgenommen"
        },
        {
          "date": "2019-04-08T22:00:00.000+00:00",
          "number": "57",
          "summary": "Referenz(en) aufgenommen: FEDORA-2019-AA7F37CD4D"
        },
        {
          "date": "2025-11-09T23:00:00.000+00:00",
          "number": "58",
          "summary": "Neue Updates von openSUSE aufgenommen"
        },
        {
          "date": "2025-11-10T23:00:00.000+00:00",
          "number": "59",
          "summary": "Korrektur"
        }
      ],
      "status": "final",
      "version": "59"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "category": "product_name",
            "name": "Apache HTTP Server",
            "product": {
              "name": "Apache HTTP Server",
              "product_id": "67869",
              "product_identification_helper": {
                "cpe": "cpe:/a:apache:http_server:-"
              }
            }
          },
          {
            "category": "product_name",
            "name": "Apache Tomcat",
            "product": {
              "name": "Apache Tomcat",
              "product_id": "643",
              "product_identification_helper": {
                "cpe": "cpe:/a:apache:tomcat:-"
              }
            }
          }
        ],
        "category": "vendor",
        "name": "Apache"
      },
      {
        "branches": [
          {
            "category": "product_name",
            "name": "Debian Linux",
            "product": {
              "name": "Debian Linux",
              "product_id": "2951",
              "product_identification_helper": {
                "cpe": "cpe:/o:debian:debian_linux:-"
              }
            }
          }
        ],
        "category": "vendor",
        "name": "Debian"
      },
      {
        "branches": [
          {
            "category": "product_name",
            "name": "EMC VNX1",
            "product": {
              "name": "EMC VNX1",
              "product_id": "T004667",
              "product_identification_helper": {
                "cpe": "cpe:/h:emc:vnx:-"
              }
            }
          }
        ],
        "category": "vendor",
        "name": "EMC"
      },
      {
        "branches": [
          {
            "category": "product_name",
            "name": "HPE HP-UX",
            "product": {
              "name": "HPE HP-UX",
              "product_id": "4871",
              "product_identification_helper": {
                "cpe": "cpe:/o:hp:hp-ux:-"
              }
            }
          }
        ],
        "category": "vendor",
        "name": "HPE"
      },
      {
        "branches": [
          {
            "category": "product_name",
            "name": "Open Source CentOS",
            "product": {
              "name": "Open Source CentOS",
              "product_id": "1727",
              "product_identification_helper": {
                "cpe": "cpe:/o:centos:centos:-"
              }
            }
          },
          {
            "category": "product_name",
            "name": "Open Source PHP",
            "product": {
              "name": "Open Source PHP",
              "product_id": "8746",
              "product_identification_helper": {
                "cpe": "cpe:/a:php:php:-"
              }
            }
          },
          {
            "category": "product_name",
            "name": "Open Source Python",
            "product": {
              "name": "Open Source Python",
              "product_id": "113051",
              "product_identification_helper": {
                "cpe": "cpe:/a:python:python:-"
              }
            }
          }
        ],
        "category": "vendor",
        "name": "Open Source"
      },
      {
        "branches": [
          {
            "category": "product_name",
            "name": "Red Hat Enterprise Linux",
            "product": {
              "name": "Red Hat Enterprise Linux",
              "product_id": "67646",
              "product_identification_helper": {
                "cpe": "cpe:/o:redhat:enterprise_linux:-"
              }
            }
          },
          {
            "category": "product_name",
            "name": "Red Hat JBoss Web Server",
            "product": {
              "name": "Red Hat JBoss Web Server",
              "product_id": "T003426",
              "product_identification_helper": {
                "cpe": "cpe:/a:redhat:jboss_enterprise_web_server:-"
              }
            }
          }
        ],
        "category": "vendor",
        "name": "Red Hat"
      },
      {
        "branches": [
          {
            "category": "product_name",
            "name": "SUSE Linux",
            "product": {
              "name": "SUSE Linux",
              "product_id": "T002207",
              "product_identification_helper": {
                "cpe": "cpe:/o:suse:suse_linux:-"
              }
            }
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "12 SP1",
                "product": {
                  "name": "SUSE Linux Enterprise Desktop 12 SP1",
                  "product_id": "T006804",
                  "product_identification_helper": {
                    "cpe": "cpe:/o:suse:linux_enterprise_desktop:12:sp1"
                  }
                }
              }
            ],
            "category": "product_name",
            "name": "Linux Enterprise Desktop"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "12 SP1",
                "product": {
                  "name": "SUSE Linux Enterprise Server 12 SP1",
                  "product_id": "T007836",
                  "product_identification_helper": {
                    "cpe": "cpe:/o:suse:linux_enterprise_server:12:sp1"
                  }
                }
              }
            ],
            "category": "product_name",
            "name": "Linux Enterprise Server"
          },
          {
            "category": "product_name",
            "name": "SUSE openSUSE",
            "product": {
              "name": "SUSE openSUSE",
              "product_id": "T027843",
              "product_identification_helper": {
                "cpe": "cpe:/o:suse:opensuse:-"
              }
            }
          }
        ],
        "category": "vendor",
        "name": "SUSE"
      },
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_version_range",
                "name": "\u003c8.2.1",
                "product": {
                  "name": "TYPO3 Core \u003c8.2.1",
                  "product_id": "T008046"
                }
              },
              {
                "category": "product_version",
                "name": "8.2.1",
                "product": {
                  "name": "TYPO3 Core 8.2.1",
                  "product_id": "T008046-fixed",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:typo3:typo3:8.2.1"
                  }
                }
              }
            ],
            "category": "product_name",
            "name": "Core"
          }
        ],
        "category": "vendor",
        "name": "TYPO3"
      },
      {
        "branches": [
          {
            "category": "product_name",
            "name": "Ubuntu Linux",
            "product": {
              "name": "Ubuntu Linux",
              "product_id": "131442",
              "product_identification_helper": {
                "cpe": "cpe:/o:canonical:ubuntu_linux:10.04:-:lts"
              }
            }
          }
        ],
        "category": "vendor",
        "name": "Ubuntu"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2016-1000104",
      "product_status": {
        "known_affected": [
          "131442",
          "67646",
          "4871",
          "T004667",
          "67869",
          "T003426",
          "T007836",
          "T006804",
          "2951",
          "T002207",
          "643",
          "T027843",
          "8746",
          "1727",
          "T008046",
          "113051"
        ]
      },
      "release_date": "2016-07-18T22:00:00.000+00:00",
      "title": "CVE-2016-1000104"
    },
    {
      "cve": "CVE-2016-1000105",
      "product_status": {
        "known_affected": [
          "131442",
          "67646",
          "4871",
          "T004667",
          "67869",
          "T003426",
          "T007836",
          "T006804",
          "2951",
          "T002207",
          "643",
          "T027843",
          "8746",
          "1727",
          "T008046",
          "113051"
        ]
      },
      "release_date": "2016-07-18T22:00:00.000+00:00",
      "title": "CVE-2016-1000105"
    },
    {
      "cve": "CVE-2016-1000107",
      "product_status": {
        "known_affected": [
          "131442",
          "67646",
          "4871",
          "T004667",
          "67869",
          "T003426",
          "T007836",
          "T006804",
          "2951",
          "T002207",
          "643",
          "T027843",
          "8746",
          "1727",
          "T008046",
          "113051"
        ]
      },
      "release_date": "2016-07-18T22:00:00.000+00:00",
      "title": "CVE-2016-1000107"
    },
    {
      "cve": "CVE-2016-1000108",
      "product_status": {
        "known_affected": [
          "131442",
          "67646",
          "4871",
          "T004667",
          "67869",
          "T003426",
          "T007836",
          "T006804",
          "2951",
          "T002207",
          "643",
          "T027843",
          "8746",
          "1727",
          "T008046",
          "113051"
        ]
      },
      "release_date": "2016-07-18T22:00:00.000+00:00",
      "title": "CVE-2016-1000108"
    },
    {
      "cve": "CVE-2016-1000109",
      "product_status": {
        "known_affected": [
          "131442",
          "67646",
          "4871",
          "T004667",
          "67869",
          "T003426",
          "T007836",
          "T006804",
          "2951",
          "T002207",
          "643",
          "T027843",
          "8746",
          "1727",
          "T008046",
          "113051"
        ]
      },
      "release_date": "2016-07-18T22:00:00.000+00:00",
      "title": "CVE-2016-1000109"
    },
    {
      "cve": "CVE-2016-1000110",
      "product_status": {
        "known_affected": [
          "131442",
          "67646",
          "4871",
          "T004667",
          "67869",
          "T003426",
          "T007836",
          "T006804",
          "2951",
          "T002207",
          "643",
          "T027843",
          "8746",
          "1727",
          "T008046",
          "113051"
        ]
      },
      "release_date": "2016-07-18T22:00:00.000+00:00",
      "title": "CVE-2016-1000110"
    },
    {
      "cve": "CVE-2016-1000111",
      "product_status": {
        "known_affected": [
          "131442",
          "67646",
          "4871",
          "T004667",
          "67869",
          "T003426",
          "T007836",
          "T006804",
          "2951",
          "T002207",
          "643",
          "T027843",
          "8746",
          "1727",
          "T008046",
          "113051"
        ]
      },
      "release_date": "2016-07-18T22:00:00.000+00:00",
      "title": "CVE-2016-1000111"
    },
    {
      "cve": "CVE-2016-5385",
      "product_status": {
        "known_affected": [
          "131442",
          "67646",
          "4871",
          "T004667",
          "67869",
          "T003426",
          "T007836",
          "T006804",
          "2951",
          "T002207",
          "643",
          "T027843",
          "8746",
          "1727",
          "T008046",
          "113051"
        ]
      },
      "release_date": "2016-07-18T22:00:00.000+00:00",
      "title": "CVE-2016-5385"
    },
    {
      "cve": "CVE-2016-5386",
      "product_status": {
        "known_affected": [
          "131442",
          "67646",
          "4871",
          "T004667",
          "67869",
          "T003426",
          "T007836",
          "T006804",
          "2951",
          "T002207",
          "643",
          "T027843",
          "8746",
          "1727",
          "T008046",
          "113051"
        ]
      },
      "release_date": "2016-07-18T22:00:00.000+00:00",
      "title": "CVE-2016-5386"
    },
    {
      "cve": "CVE-2016-5387",
      "product_status": {
        "known_affected": [
          "131442",
          "67646",
          "4871",
          "T004667",
          "67869",
          "T003426",
          "T007836",
          "T006804",
          "2951",
          "T002207",
          "643",
          "T027843",
          "8746",
          "1727",
          "T008046",
          "113051"
        ]
      },
      "release_date": "2016-07-18T22:00:00.000+00:00",
      "title": "CVE-2016-5387"
    },
    {
      "cve": "CVE-2016-5388",
      "product_status": {
        "known_affected": [
          "131442",
          "67646",
          "4871",
          "T004667",
          "67869",
          "T003426",
          "T007836",
          "T006804",
          "2951",
          "T002207",
          "643",
          "T027843",
          "8746",
          "1727",
          "T008046",
          "113051"
        ]
      },
      "release_date": "2016-07-18T22:00:00.000+00:00",
      "title": "CVE-2016-5388"
    }
  ]
}

CNVD-2016-04946

Vulnerability from cnvd - Published: 2016-07-19

Title

Facebook HHVM存在httpoxy远程代理感染漏洞

Description

HHWM(HipHop VM)是Facebook推出的用来执行PHP代码的虚拟机。 httpoxy是一组影响应用程序代码在CGI环境运行的漏洞。该漏洞主要存在于多个Web服务器、Web框架和编程语言中。可对HTTP头部的Proxy字段名变换为“HTTP_PROXY”，Value值不变，进而传递给对应的CGI执行；若CGI或脚本中使用对外请求的组件依赖的是“HTTP_PROXY”环境变量，就可能被污染。未经身份验证的远程攻击者利用漏洞可发起中间人攻击，或在服务器上启动任意主机的连接。Facebook HHVM存在httpoxy远程代理感染漏洞。

Severity

中

Formal description

厂商尚未发布漏洞修复方案，请关注厂商主页及时获取更新信息： http://www.facebook.com

Reference

https://httpoxy.org/ https://www.kb.cert.org/vuls/id/797896

Impacted products

Name
Facebook HHVM

Show details on source website

JSON

To clipboard

{
  "cves": {
    "cve": {
      "cveNumber": "CVE-2016-1000109"
    }
  },
  "description": "HHWM(HipHop VM)\u662fFacebook\u63a8\u51fa\u7684\u7528\u6765\u6267\u884cPHP\u4ee3\u7801\u7684\u865a\u62df\u673a\u3002\r\n\r\nhttpoxy\u662f\u4e00\u7ec4\u5f71\u54cd\u5e94\u7528\u7a0b\u5e8f\u4ee3\u7801\u5728CGI\u73af\u5883\u8fd0\u884c\u7684\u6f0f\u6d1e\u3002\u8be5\u6f0f\u6d1e\u4e3b\u8981\u5b58\u5728\u4e8e\u591a\u4e2aWeb\u670d\u52a1\u5668\u3001Web\u6846\u67b6\u548c\u7f16\u7a0b\u8bed\u8a00\u4e2d\u3002\u53ef\u5bf9HTTP\u5934\u90e8\u7684Proxy\u5b57\u6bb5\u540d\u53d8\u6362\u4e3a\u201cHTTP_PROXY\u201d\uff0cValue\u503c\u4e0d\u53d8\uff0c\u8fdb\u800c\u4f20\u9012\u7ed9\u5bf9\u5e94\u7684CGI\u6267\u884c\uff1b\u82e5CGI\u6216\u811a\u672c\u4e2d\u4f7f\u7528\u5bf9\u5916\u8bf7\u6c42\u7684\u7ec4\u4ef6\u4f9d\u8d56\u7684\u662f\u201cHTTP_PROXY\u201d\u73af\u5883\u53d8\u91cf\uff0c\u5c31\u53ef\u80fd\u88ab\u6c61\u67d3\u3002\u672a\u7ecf\u8eab\u4efd\u9a8c\u8bc1\u7684\u8fdc\u7a0b\u653b\u51fb\u8005\u5229\u7528\u6f0f\u6d1e\u53ef\u53d1\u8d77\u4e2d\u95f4\u4eba\u653b\u51fb\uff0c\u6216\u5728\u670d\u52a1\u5668\u4e0a\u542f\u52a8\u4efb\u610f\u4e3b\u673a\u7684\u8fde\u63a5\u3002Facebook HHVM\u5b58\u5728httpoxy\u8fdc\u7a0b\u4ee3\u7406\u611f\u67d3\u6f0f\u6d1e\u3002",
  "discovererName": "Scott Geary",
  "formalWay": "\u5382\u5546\u5c1a\u672a\u53d1\u5e03\u6f0f\u6d1e\u4fee\u590d\u65b9\u6848\uff0c\u8bf7\u5173\u6ce8\u5382\u5546\u4e3b\u9875\u53ca\u65f6\u83b7\u53d6\u66f4\u65b0\u4fe1\u606f\uff1a\r\nhttp://www.facebook.com",
  "isEvent": "\u901a\u7528\u8f6f\u786c\u4ef6\u6f0f\u6d1e",
  "number": "CNVD-2016-04946",
  "openTime": "2016-07-19",
  "products": {
    "product": "Facebook HHVM"
  },
  "referenceLink": "https://httpoxy.org/\r\nhttps://www.kb.cert.org/vuls/id/797896",
  "serverity": "\u4e2d",
  "submitTime": "2016-07-19",
  "title": "Facebook HHVM\u5b58\u5728httpoxy\u8fdc\u7a0b\u4ee3\u7406\u611f\u67d3\u6f0f\u6d1e"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2016-1000109 (GCVE-0-2016-1000109)

GHSA-QHF2-73W2-GWFH

GSD-2016-1000109

FKIE_CVE-2016-1000109

WID-SEC-W-2025-2522

CNVD-2016-04946

Tags

Sightings

Nomenclature