CVEDB API

Vulnerabilities

By Date
Known Exploited
Advanced Search

Vulnerable Software

Vendors
Products

Vulnerability Details CVE-2016-6287

The "http-client" egg always used a HTTP_PROXY environment variable to determine whether HTTP traffic should be routed via a proxy, even when running as a CGI process. Under several web servers this would mean a user-supplied "Proxy" header could allow an attacker to direct all HTTP requests through a proxy (also known as a "httpoxy" attack). This affects all versions of http-client before 0.10.

Exploit prediction scoring system (EPSS) score

EPSS Score 0.007

EPSS Ranking 71.0%

CVSS Severity

CVSS v3 Score 7.5

CVSS v2 Score 5.0

References

http://lists.gnu.org/archive/html/chicken-announce/2016-07/msg00000.html
http://www.securityfocus.com/bid/92105
http://lists.gnu.org/archive/html/chicken-announce/2016-07/msg00000.html
http://www.securityfocus.com/bid/92105

Products affected by CVE-2016-6287

Call-Cc » Http-Client » Version: 0.4.2

cpe:2.3:a:call-cc:http-client:0.4.2
Call-Cc » Http-Client » Version: 0.9

cpe:2.3:a:call-cc:http-client:0.9

Vulnerabilities

Vulnerable Software

Vulnerability Details CVE-2016-6287

Products

Pricing

Contact Us