CVE-2016-5385

Name: CVE-2016-5385
Creator: NVD / NIST
Published: 2016-07-19T02:00:17.773+00:00
License: https://creativecommons.org/publicdomain/zero/1.0/

HIGHCVSS 8.1/10EPSS 50.43%

Last modified Jun 17, 2026

CVE-2016-5385 is a high-severity vulnerability rated 8.1/10 on the CVSS scale. PHP through 7.0.8 does not attempt to address RFC 3875 section 4.1.18 namespace conflicts and therefore does not protect applications from the presence of untrusted client data in the HTTP_PROXY environment variable, which might allow remote attackers to redirect an application's outbound HTTP traffic to an arbitrary proxy server via a crafted Proxy header in an HTTP request, as demonstrated by (1) an application that makes a getenv('HTTP_PROXY') call or (2) a CGI configuration of PHP, aka an "httpoxy" issue.. EPSS estimates a 50.43% chance of exploitation in the next 30 days.

Description

PHP through 7.0.8 does not attempt to address RFC 3875 section 4.1.18 namespace conflicts and therefore does not protect applications from the presence of untrusted client data in the HTTP_PROXY environment variable, which might allow remote attackers to redirect an application's outbound HTTP traffic to an arbitrary proxy server via a crafted Proxy header in an HTTP request, as demonstrated by (1) an application that makes a getenv('HTTP_PROXY') call or (2) a CGI configuration of PHP, aka an "httpoxy" issue.

Metrics

CVSS 3.1

8.1/10

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Probability

50.43%

98.8th percentile

Probability of exploitation in the next 30 days. Learn more

Weakness Enumeration

CWE-601

Affected Software

Vendor	Product	Versions
Oracle	Communications User Data Repository	10.0.0
Oracle	Communications User Data Repository	10.0.1
Oracle	Communications User Data Repository	12.0.0
Oracle	Enterprise Manager Ops Center	12.2.2
Oracle	Enterprise Manager Ops Center	12.3.2
Oracle	Linux	6
Oracle	Linux	7
Fedoraproject	Fedora	23
Fedoraproject	Fedora	24
Hp	Storeever Msl6480 Tape Library Firmware	<= 5.09
Hp	System Management Homepage	<= 7.5.5.0
Php	Php	>= 5.5.0, < 5.5.38
Php	Php	>= 5.6.0, < 5.6.24
Php	Php	>= 7.0.0, <= 7.0.8
Redhat	Enterprise Linux Desktop	6.0
Redhat	Enterprise Linux Server	6.0
Redhat	Enterprise Linux Workstation	6.0
Debian	Debian Linux	8.0
Opensuse	Leap	42.1
Drupal	Drupal	>= 8.0.0, < 8.1.7

References

http://lists.opensuse.org/opensuse-updates/2016-08/msg00003.htmlThird Party Advisory
http://rhn.redhat.com/errata/RHSA-2016-1609.htmlBroken Link, Third Party Advisory
http://rhn.redhat.com/errata/RHSA-2016-1610.htmlBroken Link, Third Party Advisory
http://rhn.redhat.com/errata/RHSA-2016-1611.htmlBroken Link, Third Party Advisory
http://rhn.redhat.com/errata/RHSA-2016-1612.htmlBroken Link, Third Party Advisory
http://rhn.redhat.com/errata/RHSA-2016-1613.htmlBroken Link, Third Party Advisory
http://www.debian.org/security/2016/dsa-3631Third Party Advisory
http://www.kb.cert.org/vuls/id/797896Third Party Advisory, US Government Resource
http://www.oracle.com/technetwork/security-advisory/cpujan2018-3236628.htmlPatch, Third Party Advisory
http://www.oracle.com/technetwork/security-advisory/cpujul2017-3236622.htmlPatch, Third Party Advisory
http://www.oracle.com/technetwork/topics/security/linuxbulletinjul2016-3090544.htmlThird Party Advisory
http://www.securityfocus.com/bid/91821Third Party Advisory, VDB Entry
http://www.securitytracker.com/id/1036335Third Party Advisory, VDB Entry
https://bugzilla.redhat.com/show_bug.cgi?id=1353794Issue Tracking, Third Party Advisory, VDB Entry
https://github.com/guzzle/guzzle/releases/tag/6.2.1Release Notes, Third Party Advisory
https://h20566.www2.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpesbhf03770en_usThird Party Advisory
https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05320149Third Party Advisory
https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05333297Third Party Advisory
https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05390722Third Party Advisory
https://httpoxy.org/Third Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/7RMYXAVNYL2MOBJTFATE73TOVOEZYC5R/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/GXFEIMZPSVGZQQAYIQ7U7DFVX3IBSDLF/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/KZOIUYZDBWNDDHC6XTOLZYRMRXZWTJCP/
https://security.gentoo.org/glsa/201611-22Third Party Advisory
https://www.drupal.org/SA-CORE-2016-003Third Party Advisory
http://lists.opensuse.org/opensuse-updates/2016-08/msg00003.htmlThird Party Advisory
http://rhn.redhat.com/errata/RHSA-2016-1609.htmlBroken Link, Third Party Advisory
http://rhn.redhat.com/errata/RHSA-2016-1610.htmlBroken Link, Third Party Advisory
http://rhn.redhat.com/errata/RHSA-2016-1611.htmlBroken Link, Third Party Advisory
http://rhn.redhat.com/errata/RHSA-2016-1612.htmlBroken Link, Third Party Advisory
http://rhn.redhat.com/errata/RHSA-2016-1613.htmlBroken Link, Third Party Advisory
http://www.debian.org/security/2016/dsa-3631Third Party Advisory
http://www.kb.cert.org/vuls/id/797896Third Party Advisory, US Government Resource
http://www.oracle.com/technetwork/security-advisory/cpujan2018-3236628.htmlPatch, Third Party Advisory
http://www.oracle.com/technetwork/security-advisory/cpujul2017-3236622.htmlPatch, Third Party Advisory
http://www.oracle.com/technetwork/topics/security/linuxbulletinjul2016-3090544.htmlThird Party Advisory
http://www.securityfocus.com/bid/91821Third Party Advisory, VDB Entry
http://www.securitytracker.com/id/1036335Third Party Advisory, VDB Entry
https://bugzilla.redhat.com/show_bug.cgi?id=1353794Issue Tracking, Third Party Advisory, VDB Entry
https://github.com/guzzle/guzzle/releases/tag/6.2.1Release Notes, Third Party Advisory
https://h20566.www2.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpesbhf03770en_usThird Party Advisory
https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05320149Third Party Advisory
https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05333297Third Party Advisory
https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05390722Third Party Advisory
https://httpoxy.org/Third Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/7RMYXAVNYL2MOBJTFATE73TOVOEZYC5R/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/GXFEIMZPSVGZQQAYIQ7U7DFVX3IBSDLF/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/KZOIUYZDBWNDDHC6XTOLZYRMRXZWTJCP/
https://security.gentoo.org/glsa/201611-22Third Party Advisory
https://www.drupal.org/SA-CORE-2016-003Third Party Advisory

Timeline

Published: Jul 19, 2016
Last Modified: Jun 17, 2026
Status: Modified

Frequently Asked Questions

What is CVE-2016-5385?

How severe is CVE-2016-5385?

CVE-2016-5385 has a CVSS score of 8.1/10 (HIGH severity). The EPSS model estimates a 50.43% probability of exploitation in the next 30 days.

How do I fix CVE-2016-5385?

Check the vendor references and advisories linked above for patched versions and mitigation guidance. You can also run a Strix scan to test if your systems are affected.

Are you affected by CVE-2016-5385?

Run a free Strix scan to check your systems for this vulnerability.

Scan your code now

Source: NVD / NIST