CVE-2016-5386 | Mend Vulnerability Database

Vulnerability DatabaseCVE-2016-5386

CVE-2016-5386

Published:July 19, 2016

Updated:May 17, 2026

The net/http package in Go through 1.6 does not attempt to address RFC 3875 section 4.1.18 namespace conflicts and therefore does not protect CGI applications from the presence of untrusted client data in the HTTP_PROXY environment variable, which might allow remote attackers to redirect a CGI application's outbound HTTP traffic to an arbitrary proxy server via a crafted Proxy header in an HTTP request, aka an "httpoxy" issue.

Related Resources (15)

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/7WGHKKCFP4PLVSWQKCM3FJJPEWB5ZNTU/

https://httpoxy.org/

https://people.canonical.com/~ubuntu-security/cve/CVE-2016-5386

http://www.oracle.com/technetwork/topics/security/linuxbulletinjul2016-3090544.html

https://h20566.www2.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpesbhf03770en_us

http://www.oracle.com/technetwork/security-advisory/cpujul2017-3236622.html

http://rhn.redhat.com/errata/RHSA-2016-1538.html

https://go.dev/cl/25010

https://access.redhat.com/security/cve/CVE-2016-5386

https://go.googlesource.com/go/+/b97df54c31d6c4cc2a28a3c83725366d52329223

http://www.kb.cert.org/vuls/id/797896