CVE-2016-4694

Publication date 25 September 2016

Last updated 25 August 2025

Ubuntu priority

Medium

Why this priority?

Cvss 3 Severity Score

9.1 · Critical

Score breakdown

Description

The Apache HTTP Server in Apple OS X before 10.12 and OS X Server before 5.2 follows RFC 3875 section 4.1.18 and therefore does not protect applications from the presence of untrusted CGI client data in the HTTP_PROXY environment variable, which might allow remote attackers to redirect an application's outbound HTTP traffic to an arbitrary proxy server via a crafted Proxy header in an HTTP request, aka an "httpoxy" issue, a related issue to CVE-2016-5387.

Read the notes from the security team

Status

Package Ubuntu Release Status
apache2 16.04 LTS xenial
Not affected
14.04 LTS trusty
Not affected
12.04 LTS precise
Not affected

Notes

mdeslaur

this is probably an apple-specific CVE for the same issue as CVE-2016-5387, marking as not-affected

Severity score breakdown

CVSS version: CVSS v3.0

Base score 9.1 · Critical

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

References

Other references

Access our resources on patching vulnerabilities