// For flags

CVE-2016-1000109

 

Severity Score

5.3
*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

1
*Multiple Sources

Exploited in Wild

-
*KEV

Decision

-
*SSVC
Descriptions

HHVM does not attempt to address RFC 3875 section 4.1.18 namespace conflicts and therefore does not protect CGI applications from the presence of untrusted client data in the HTTP_PROXY environment variable, which might allow remote attackers to redirect a CGI application's outbound HTTP traffic to an arbitrary proxy server via a crafted Proxy header in an HTTP request, aka an "httpoxy" issue. This issue affects HHVM versions prior to 3.9.6, all versions between 3.10.0 and 3.12.4 (inclusive), and all versions between 3.13.0 and 3.14.2 (inclusive).

HHVM no intenta abordar los conflictos de espacio de nombres de RFC 3875 section versión 4.1.18 y, por lo tanto, no protege las aplicaciones CGI de la presencia de datos de clientes no confiables en la variable de entorno HTTP_PROXY, lo que podría permitir a atacantes remotos redireccionar el tráfico HTTP saliente de una aplicación CGI hacia un servidor proxy arbitrario por medio de un encabezado Proxy diseñado en una petición HTTP, también se conoce como un problema "httpoxy". Este problema afecta a las versiones HHVM anteriores a 3.9.6, todas las versiones entre 3.10.0 y 3.12.4 (inclusive), y todas las versiones entre 3.13.0 y 3.14.2 (inclusive).

*Credits: N/A
CVSS Scores
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
Low
Availability
None
Attack Vector
Network
Attack Complexity
Low
Authentication
None
Confidentiality
None
Integrity
Partial
Availability
None
* Common Vulnerability Scoring System
SSVC
  • Decision:-
Exploitation
-
Automatable
-
Tech. Impact
-
* Organization's Worst-case Scenario
Timeline
  • 2016-07-18 CVE Reserved
  • 2020-02-19 CVE Published
  • 2023-03-07 EPSS Updated
  • 2024-08-06 CVE Updated
  • 2024-08-06 First Exploit
  • ---------- Exploited in Wild
  • ---------- KEV Due Date
CWE
  • CWE-665: Improper Initialization
CAPEC
Affected Vendors, Products, and Versions
Vendor Product Version Other Status
Vendor Product Version Other Status <-- --> Vendor Product Version Other Status
Facebook
Search vendor "Facebook"
 Hhvm
Search vendor "Facebook" for product "Hhvm"
 < 3.9.6
Search vendor "Facebook" for product "Hhvm" and version " < 3.9.6"
-
Affected
Facebook
Search vendor "Facebook"
 Hhvm
Search vendor "Facebook" for product "Hhvm"
 >= 3.10.0 <= 3.12.4
Search vendor "Facebook" for product "Hhvm" and version " >= 3.10.0 <= 3.12.4"
-
Affected
Facebook
Search vendor "Facebook"
 Hhvm
Search vendor "Facebook" for product "Hhvm"
 >= 3.13.0 <= 3.14.2
Search vendor "Facebook" for product "Hhvm" and version " >= 3.13.0 <= 3.14.2"
-
Affected