CVE-2016-5385: Vulnerability in CGI applications

July 18, 2016 (updated March 4, 2019)

httpoxy is a set of vulnerabilities that affect application code running in CGI, or CGI-like environments. It comes down to a simple namespace conflict: RFC (CGI) puts the HTTP Proxy header from a request into the environment variables as HTTP_PROXY and HTTP_PROXY is a popular environment variable used to configure an outgoing proxy. This leads to a remotely exploitable vulnerability.

References

github.com/guzzle/guzzle/blob/4.x/CHANGELOG.md
github.com/guzzle/guzzle/blob/5.3/CHANGELOG.md
github.com/guzzle/guzzle/blob/master/CHANGELOG.md
github.com/guzzle/guzzle/releases/tag/6.2.1
httpoxy.org/

Code Behaviors & Features

Detect and mitigate CVE-2016-5385 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →