Decription: Drupal 8 uses the third-party PHP library Guzzle for making server-side HTTP requests. An attacker can provide a proxy server that Guzzle will use. The details of this are explained at https://httpoxy.org/.
Affected versions: Drupal core 8.x versions prior to 8.1.7
Recommended action: Install the latest version:
- If you use Drupal 8.x, upgrade to Drupal core 8.1.7
- If you use Drupal 7.x, Drupal core is not affected. However you should consider using the mitigation steps at https://httpoxy.org/ since you might have modules or other software on your server affected by this issue. For example, sites using Apache can add the following code to .htaccess:
<IfModule mod_headers.c> RequestHeader unset Proxy </IfModule>
It is also suggested mitigating it as described here: https://httpoxy.org/
Also see the Drupal core project page.