Huawei : Huawei Data Communication: A CGI application vulnerability in Some Huawei Products (huawei-sa-20171129-01-httpproxy)

Anfälligkeitssuche		Suche in 324607 CVE Beschreibungen und 145615 Test Beschreibungen, Zugriff auf 10,000+ Quellverweise.
	Tests CVE Alle

Test Kennung: 1.3.6.1.4.1.25623.1.0.143972

Kategorie: Huawei

Titel: Huawei Data Communication: A CGI application vulnerability in Some Huawei Products (huawei-sa-20171129-01-httpproxy)

Zusammenfassung: Some open source software used by Huawei does not attempt to address RFC 3875 section 4.1.18 namespace conflicts.

Beschreibung: Summary:
Some open source software used by Huawei does not attempt to address RFC 3875 section 4.1.18 namespace conflicts.

Vulnerability Insight:
Some open source software used by Huawei does not attempt to address RFC 3875 section 4.1.18 namespace conflicts and therefore does not protect applications from the presence of untrusted client data in the HTTP_PROXY environment variable, which might allow remote attackers to redirect an application's outbound HTTP traffic to an arbitrary proxy server via a crafted Proxy header in an HTTP request. (Vulnerability ID: HWPSIRT-2016-07052)This vulnerability has been assigned a Common Vulnerabilities and Exposures (CVE) ID: CVE-2016-5386.Huawei has released software updates to fix this vulnerability. This advisory is available in the linked references.

Vulnerability Impact:
Remote attackers can redirect an application's outbound HTTP traffic to an arbitrary proxy server via a crafted Proxy header in an HTTP request by exploit this vulnerability.

Affected Software/OS:
AR3200 versions V200R005C30 V200R005C32 V200R006C10 V200R006C11 V200R006C12 V200R006C13 V200R006C15 V200R006C16 V200R006C17 V200R007C00

Solution:
See the referenced vendor advisory for a solution.

CVSS Score:
6.8

CVSS Vector:
AV:N/AC:M/Au:N/C:P/I:P/A:P

Querverweis: Common Vulnerability Exposure (CVE) ID: CVE-2016-5386
CERT/CC vulnerability note: VU#797896
http://www.kb.cert.org/vuls/id/797896
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/7WGHKKCFP4PLVSWQKCM3FJJPEWB5ZNTU/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/OR52UXGM6RKSCWF3KQMVZGVZVJ3WEESJ/
https://httpoxy.org/
RedHat Security Advisories: RHSA-2016:1538
http://rhn.redhat.com/errata/RHSA-2016-1538.html

Copyright Copyright (C) 2020 Greenbone Networks GmbH

Dies ist nur einer von 145615 Anfälligkeitstests in unserem Testpaket. Finden Sie mehr über unsere vollständigen Sicherheitsüberprüfungen heraus.
Um einen gratis Test für diese Anfälligkeit auf Ihrem System durchlaufen zu lassen, registrieren Sie sich bitte unten.

Test Kennung:	1.3.6.1.4.1.25623.1.0.143972
Kategorie:	Huawei
Titel:	Huawei Data Communication: A CGI application vulnerability in Some Huawei Products (huawei-sa-20171129-01-httpproxy)
Zusammenfassung:	Some open source software used by Huawei does not attempt to address RFC 3875 section 4.1.18 namespace conflicts.
Beschreibung:	Summary: Some open source software used by Huawei does not attempt to address RFC 3875 section 4.1.18 namespace conflicts. Vulnerability Insight: Some open source software used by Huawei does not attempt to address RFC 3875 section 4.1.18 namespace conflicts and therefore does not protect applications from the presence of untrusted client data in the HTTP_PROXY environment variable, which might allow remote attackers to redirect an application's outbound HTTP traffic to an arbitrary proxy server via a crafted Proxy header in an HTTP request. (Vulnerability ID: HWPSIRT-2016-07052)This vulnerability has been assigned a Common Vulnerabilities and Exposures (CVE) ID: CVE-2016-5386.Huawei has released software updates to fix this vulnerability. This advisory is available in the linked references. Vulnerability Impact: Remote attackers can redirect an application's outbound HTTP traffic to an arbitrary proxy server via a crafted Proxy header in an HTTP request by exploit this vulnerability. Affected Software/OS: AR3200 versions V200R005C30 V200R005C32 V200R006C10 V200R006C11 V200R006C12 V200R006C13 V200R006C15 V200R006C16 V200R006C17 V200R007C00 Solution: See the referenced vendor advisory for a solution. CVSS Score: 6.8 CVSS Vector: AV:N/AC:M/Au:N/C:P/I:P/A:P
Querverweis:	Common Vulnerability Exposure (CVE) ID: CVE-2016-5386 CERT/CC vulnerability note: VU#797896 http://www.kb.cert.org/vuls/id/797896 https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/7WGHKKCFP4PLVSWQKCM3FJJPEWB5ZNTU/ https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/OR52UXGM6RKSCWF3KQMVZGVZVJ3WEESJ/ https://httpoxy.org/ RedHat Security Advisories: RHSA-2016:1538 http://rhn.redhat.com/errata/RHSA-2016-1538.html
Copyright	Copyright (C) 2020 Greenbone Networks GmbH