Huawei : Huawei Data Communication: A CGI application vulnerability in Some Huawei Products (huawei-sa-20171129-01-httpproxy)

Búsqueda de Vulnerabilidad		Buscar 324607 Descripciones CVE y 146377 Descripciones de Pruebas, accesos 10,000+ referencias cruzadas.
	Pruebas CVE Todos

ID de Prueba: 1.3.6.1.4.1.25623.1.0.143972

Categoría: Huawei

Título: Huawei Data Communication: A CGI application vulnerability in Some Huawei Products (huawei-sa-20171129-01-httpproxy)

Resumen: Some open source software used by Huawei does not attempt to address RFC 3875 section 4.1.18 namespace conflicts.

Descripción: Summary:
Some open source software used by Huawei does not attempt to address RFC 3875 section 4.1.18 namespace conflicts.

Vulnerability Insight:
Some open source software used by Huawei does not attempt to address RFC 3875 section 4.1.18 namespace conflicts and therefore does not protect applications from the presence of untrusted client data in the HTTP_PROXY environment variable, which might allow remote attackers to redirect an application's outbound HTTP traffic to an arbitrary proxy server via a crafted Proxy header in an HTTP request. (Vulnerability ID: HWPSIRT-2016-07052)This vulnerability has been assigned a Common Vulnerabilities and Exposures (CVE) ID: CVE-2016-5386.Huawei has released software updates to fix this vulnerability. This advisory is available in the linked references.

Vulnerability Impact:
Remote attackers can redirect an application's outbound HTTP traffic to an arbitrary proxy server via a crafted Proxy header in an HTTP request by exploit this vulnerability.

Affected Software/OS:
AR3200 versions V200R005C30 V200R005C32 V200R006C10 V200R006C11 V200R006C12 V200R006C13 V200R006C15 V200R006C16 V200R006C17 V200R007C00

Solution:
See the referenced vendor advisory for a solution.

CVSS Score:
6.8

CVSS Vector:
AV:N/AC:M/Au:N/C:P/I:P/A:P

Referencia Cruzada: Common Vulnerability Exposure (CVE) ID: CVE-2016-5386
CERT/CC vulnerability note: VU#797896
http://www.kb.cert.org/vuls/id/797896
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/7WGHKKCFP4PLVSWQKCM3FJJPEWB5ZNTU/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/OR52UXGM6RKSCWF3KQMVZGVZVJ3WEESJ/
https://httpoxy.org/
RedHat Security Advisories: RHSA-2016:1538
http://rhn.redhat.com/errata/RHSA-2016-1538.html

Copyright Copyright (C) 2020 Greenbone Networks GmbH

Esta es sólo una de 146377 pruebas de vulnerabilidad en nuestra serie de pruebas. Encuentre más sobre cómo ejecutar una auditoría de seguridad completa.
Para ejecutar una prueba gratuita de esta vulnerabilidad contra su sistema, regístrese ahora.

ID de Prueba:	1.3.6.1.4.1.25623.1.0.143972
Categoría:	Huawei
Título:	Huawei Data Communication: A CGI application vulnerability in Some Huawei Products (huawei-sa-20171129-01-httpproxy)
Resumen:	Some open source software used by Huawei does not attempt to address RFC 3875 section 4.1.18 namespace conflicts.
Descripción:	Summary: Some open source software used by Huawei does not attempt to address RFC 3875 section 4.1.18 namespace conflicts. Vulnerability Insight: Some open source software used by Huawei does not attempt to address RFC 3875 section 4.1.18 namespace conflicts and therefore does not protect applications from the presence of untrusted client data in the HTTP_PROXY environment variable, which might allow remote attackers to redirect an application's outbound HTTP traffic to an arbitrary proxy server via a crafted Proxy header in an HTTP request. (Vulnerability ID: HWPSIRT-2016-07052)This vulnerability has been assigned a Common Vulnerabilities and Exposures (CVE) ID: CVE-2016-5386.Huawei has released software updates to fix this vulnerability. This advisory is available in the linked references. Vulnerability Impact: Remote attackers can redirect an application's outbound HTTP traffic to an arbitrary proxy server via a crafted Proxy header in an HTTP request by exploit this vulnerability. Affected Software/OS: AR3200 versions V200R005C30 V200R005C32 V200R006C10 V200R006C11 V200R006C12 V200R006C13 V200R006C15 V200R006C16 V200R006C17 V200R007C00 Solution: See the referenced vendor advisory for a solution. CVSS Score: 6.8 CVSS Vector: AV:N/AC:M/Au:N/C:P/I:P/A:P
Referencia Cruzada:	Common Vulnerability Exposure (CVE) ID: CVE-2016-5386 CERT/CC vulnerability note: VU#797896 http://www.kb.cert.org/vuls/id/797896 https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/7WGHKKCFP4PLVSWQKCM3FJJPEWB5ZNTU/ https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/OR52UXGM6RKSCWF3KQMVZGVZVJ3WEESJ/ https://httpoxy.org/ RedHat Security Advisories: RHSA-2016:1538 http://rhn.redhat.com/errata/RHSA-2016-1538.html
Copyright	Copyright (C) 2020 Greenbone Networks GmbH