Component Type: TYPO3 CMS
Release Date: July 19, 2016
Vulnerability Type: Environment Variable Injection
Affected Versions: Versions 8.0.0 to 8.2.0
related CVE: CVE-2016-5385
Problem Description: PHP, when used as CGI, FPM or HHVM, exposes http headers also as environment variables starting with "HTTP_". TYPO3 version 8.2.0 is vulnerable because it uses the third party library guzzlehttp/guzzlel, which makes use of the environment variable "HTTP_PROXY". Read https://www.symfony.fi/entry/httpoxy-vulnerability-hits-php-installations-using-fastcgi-and-php-fpm-and-hhvm or https://httpoxy.org/ for further details.
Solution: Update to TYPO3 version 8.2.1 that fixes the problem described.
General Advice: Follow the recommendations that are given in the TYPO3 Security Guide. Please subscribe to the typo3-announce mailing list.
General Note: All security related code changes are tagged so that you can easily look them up on our review system.