OR
     *cpe:2.3:a:apache:tomcat:*:*:*:*:*:*:*:* versions from (including) 7.0 up to (including) 7.0.70
     *cpe:2.3:a:apache:tomcat:*:*:*:*:*:*:*:* versions from (including) 8.0 up to (including) 8.5.4

OR
     *cpe:2.3:a:apache:tomcat:*:*:*:*:*:*:*:* versions from (including) 6.0 up to (including) 6.0.45
     *cpe:2.3:a:apache:tomcat:*:*:*:*:*:*:*:* versions from (including) 7.0 up to (including) 7.0.70
     *cpe:2.3:a:apache:tomcat:*:*:*:*:*:*:*:* versions from (including) 8.0 up to (including) 8.5.4

OR
     *cpe:2.3:a:apache:tomcat:*:*:*:*:*:*:*:* versions up to (including) 8.5.4

OR
     *cpe:2.3:a:apache:tomcat:*:*:*:*:*:*:*:* versions from (including) 7.0 up to (including) 7.0.70
     *cpe:2.3:a:apache:tomcat:*:*:*:*:*:*:*:* versions from (including) 8.0 up to (including) 8.5.4

http://lists.opensuse.org/opensuse-updates/2016-09/msg00025.html No Types Assigned

http://lists.opensuse.org/opensuse-updates/2016-09/msg00025.html Third Party Advisory

http://rhn.redhat.com/errata/RHSA-2016-1624.html No Types Assigned

http://rhn.redhat.com/errata/RHSA-2016-1624.html Third Party Advisory

http://www.oracle.com/technetwork/security-advisory/cpujul2017-3236622.html No Types Assigned

http://www.oracle.com/technetwork/security-advisory/cpujul2017-3236622.html Patch, Third Party Advisory

http://www.securityfocus.com/bid/91818 No Types Assigned

http://www.securityfocus.com/bid/91818 Third Party Advisory, VDB Entry

http://www.securitytracker.com/id/1036331 Third Party Advisory, Vendor Advisory

http://www.securitytracker.com/id/1036331 Third Party Advisory, VDB Entry, Vendor Advisory

https://access.redhat.com/errata/RHSA-2016:1635 No Types Assigned

https://access.redhat.com/errata/RHSA-2016:1635 Third Party Advisory

https://access.redhat.com/errata/RHSA-2016:1636 No Types Assigned

https://access.redhat.com/errata/RHSA-2016:1636 Third Party Advisory

https://h20566.www2.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpesbhf03770en_us No Types Assigned

https://h20566.www2.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpesbhf03770en_us Third Party Advisory

https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05324759 No Types Assigned

https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05324759 Third Party Advisory

https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05390722 No Types Assigned

https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05390722 Third Party Advisory

https://httpoxy.org/ No Types Assigned

https://httpoxy.org/ Third Party Advisory

https://tomcat.apache.org/tomcat-7.0-doc/changelog.html No Types Assigned

https://tomcat.apache.org/tomcat-7.0-doc/changelog.html Release Notes, Vendor Advisory

https://www.apache.org/security/asf-httpoxy-response.txt No Types Assigned

https://www.apache.org/security/asf-httpoxy-response.txt Vendor Advisory

Apache Tomcat through 8.5.4, when the CGI Servlet is enabled, follows RFC 3875 section 4.1.18 and therefore does not protect applications from the presence of untrusted client data in the HTTP_PROXY environment variable, which might allow remote attackers to redirect an application's outbound HTTP traffic to an arbitrary proxy server via a crafted Proxy header in an HTTP request, aka an "httpoxy" issue. NOTE: the vendor states "A mitigation is planned for future releases of Tomcat, tracked as CV

Apache Tomcat 7.x through 7.0.70 and 8.x through 8.5.4, when the CGI Servlet is enabled, follows RFC 3875 section 4.1.18 and therefore does not protect applications from the presence of untrusted client data in the HTTP_PROXY environment variable, which might allow remote attackers to redirect an application's outbound HTTP traffic to an arbitrary proxy server via a crafted Proxy header in an HTTP request, aka an "httpoxy" issue. NOTE: the vendor states "A mitigation is planned for future releas

https://tomcat.apache.org/tomcat-7.0-doc/changelog.html [No Types Assigned]

https://h20566.www2.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpesbhf03770en_us [No Types Assigned]

http://www.oracle.com/technetwork/security-advisory/cpujul2017-3236622.html [No Types Assigned]

https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05390722 [No Types Assigned]

http://lists.opensuse.org/opensuse-updates/2016-09/msg00025.html [No Types Assigned]

http://rhn.redhat.com/errata/RHSA-2016-1624.html [No Types Assigned]

http://www.securityfocus.com/bid/91818 [No Types Assigned]

https://access.redhat.com/errata/RHSA-2016:1635 [No Types Assigned]

https://access.redhat.com/errata/RHSA-2016:1636 [No Types Assigned]

https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05324759

Configuration 1
     OR
          *cpe:2.3:a:apache:tomcat:8.5.4:*:*:*:*:*:*:* (and previous)

Configuration 1
     OR
          *cpe:2.3:o:redhat:enterprise_linux_server_tus:7.2:*:*:*:*:*:*:*
          *cpe:2.3:o:redhat:enterprise_linux_server_eus:7.2:*:*:*:*:*:*:*
          *cpe:2.3:o:redhat:enterprise_linux_hpc_node:7.0:*:*:*:*:*:*:*
          *cpe:2.3:o:redhat:enterprise_linux_server:7.0:*:*:*:*:*:*:*
          *cpe:2.3:o:redhat:enterprise_linux_workstation:7.0:*:*:*:*:*:*:*
          *cpe:2.3:o:redhat:enterprise_linux_desktop:7.0:*:*:*:*:*:*:*
          *cpe:2.3:o:redhat:enterprise_l

http://rhn.redhat.com/errata/RHSA-2016-2045.html No Types Assigned

http://rhn.redhat.com/errata/RHSA-2016-2045.html Third Party Advisory

http://rhn.redhat.com/errata/RHSA-2016-2046.html No Types Assigned

http://rhn.redhat.com/errata/RHSA-2016-2046.html Third Party Advisory

http://www.oracle.com/technetwork/topics/security/linuxbulletinoct2016-3090545.html No Types Assigned

http://www.oracle.com/technetwork/topics/security/linuxbulletinoct2016-3090545.html Third Party Advisory

https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05320149 No Types Assigned

https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05320149 Third Party Advisory

Configuration 1
     OR
          *cpe:2.3:a:apache:tomcat:8.5.4:*:*:*:*:*:*:* (and previous)

Configuration 1
     OR
          *cpe:2.3:o:redhat:enterprise_linux_server:6.0:*:*:*:*:*:*:*
          *cpe:2.3:o:redhat:enterprise_linux_workstation:6.0:*:*:*:*:*:*:*
          *cpe:2.3:o:redhat:enterprise_linux_hpc_node:6.0:*:*:*:*:*:*:*
          *cpe:2.3:o:redhat:enterprise_linux_desktop:6.0:*:*:*:*:*:*:*
Configuration 2
     OR
          *cpe:2.3:a:apache:tomcat:8.5.4:*:*:*:*:*:*:* (and previous)
Configuration 3
     OR
          *cpe:2.3:o:oracle:linux:7.0:*:*:*:*:*:*:*
          *cpe:2.3

http://rhn.redhat.com/errata/RHSA-2016-2045.html No Types Assigned

http://rhn.redhat.com/errata/RHSA-2016-2045.html Third Party Advisory

http://rhn.redhat.com/errata/RHSA-2016-2046.html No Types Assigned

http://rhn.redhat.com/errata/RHSA-2016-2046.html Third Party Advisory

http://www.oracle.com/technetwork/topics/security/linuxbulletinoct2016-3090545.html No Types Assigned

http://www.oracle.com/technetwork/topics/security/linuxbulletinoct2016-3090545.html Third Party Advisory

https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05320149 No Types Assigned

https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05320149 Third Party Advisory

https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05320149

http://www.oracle.com/technetwork/topics/security/linuxbulletinoct2016-3090545.html

http://rhn.redhat.com/errata/RHSA-2016-2045.html

http://rhn.redhat.com/errata/RHSA-2016-2046.html

http://www.securitytracker.com/id/1036331 No Types Assigned

http://www.securitytracker.com/id/1036331 Third Party Advisory, Vendor Advisory

http://www.securitytracker.com/id/1036331

Configuration 1
     OR
          *cpe:2.3:a:apache:tomcat:8.5.4:*:*:*:*:*:*:* (and previous)

(AV:N/AC:H/Au:N/C:P/I:P/A:P)

AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE-284

http://www.kb.cert.org/vuls/id/797896 US Govt Resource

http://www.kb.cert.org/vuls/id/797896 Advisory, US Govt Resource