CVE-2016-5387 (retired)

The Apache HTTP Server through 2.4.23 follows RFC 3875 section 4.1.18 and
therefore does not protect applications from the presence of untrusted
client data in the HTTP_PROXY environment variable, which might allow
remote attackers to redirect an application's outbound HTTP traffic to an
arbitrary proxy server via a crafted Proxy header in an HTTP request, aka
an "httpoxy" issue. NOTE: the vendor states "This mitigation has been
assigned the identifier CVE-2016-5387"; in other words, this is not a CVE
ID for a vulnerability.
Ubuntu 16.04 LTS (Xenial Xerus):released (2.4.18-2ubuntu3.1)
More Information

Updated: 2019-08-23 09:11:09 UTC (commit 436fd4ed4cf0038ddd382cb8649607ace163dda7)