View at Official suse advisory, NVD, CVE.org · CVE detail
Freshness: upstream tracker timestamp is available; use API updated time as primary recency signal.
CVE-2016-5388 severity moderate: SUSE including 36 source package names (tomcat-7.0.54-8.el7_2, tomcat-7.0.78-7.13.4, …), 94 product×package rows across 11 product lines (SUSE Liberty Linux 7, SUSE Linux Enterprise Point of Sale 11 SP3, … (11 product lines)): Fixed 94.
Apache Tomcat 7.x through 7.0.70 and 8.x through 8.5.4, when the CGI Servlet is enabled, follows RFC 3875 section 4.1.18 and therefore does not protect applications from the presence of untrusted client data in the HTTP_PROXY environment variable, which might allow remote attackers to redirect an application's outbound HTTP traffic to an arbitrary proxy server via a crafted Proxy header in an HTTP request, aka an "httpoxy" issue. NOTE: the vendor states "A mitigation is planned for future releases of Tomcat, tracked as CVE-2016-5388"; in other words, this is not a CVE ID for a vulnerability.