CVE-2019-18678

  1. OpenCVE
  2. Vulnerabilities (CVE)
  3. CVE-2019-18678
An issue was discovered in Squid 3.x and 4.x through 4.8. It allows attackers to smuggle HTTP requests through frontend software to a Squid instance that splits the HTTP Request pipeline differently. The resulting Response messages corrupt caches (between a client and Squid) with attacker-controlled content at arbitrary URLs. Effects are isolated to software between the attacker client and Squid. There are no effects on Squid itself, nor on any upstream servers. The issue is related to a request header containing whitespace between a header name and a colon.

5.3 /10

CVSS v3 : MEDIUM

V3 Legend

Vector :

Exploitability : 3.9 / Impact : 1.4

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact LOW

Availability Impact NONE

Scope UNCHANGED

5.0 /10

CVSS v2.0 : MEDIUM

V2 Legend

Vector : AV:N/AC:L/Au:N/C:N/I:P/A:N

Exploitability : 10.0 / Impact : 2.9

Access Vector NETWORK

Access Complexity LOW

Authentication NONE

Confidentiality Impact NONE

Integrity Impact PARTIAL

Availability Impact NONE

References
Link Resource
http://www.squid-cache.org/Advisories/SQUID-2019_10.txt Third Party Advisory
http://www.squid-cache.org/Versions/v4/changesets/squid-4-671ba97abe929156dc4c717ee52ad22fba0f7443.patch Release Notes
https://bugzilla.suse.com/show_bug.cgi?id=1156323 Issue Tracking Third Party Advisory
https://github.com/squid-cache/squid/pull/445 Patch Third Party Advisory
https://lists.debian.org/debian-lts-announce/2019/12/msg00011.html Third Party Advisory
https://lists.debian.org/debian-lts-announce/2020/07/msg00009.html
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MTM74TU2BSLT5B3H4F3UDW53672NVLMC/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UEMOYTMCCFWK5NOXSXEIH5D2VGWVXR67/
https://security.gentoo.org/glsa/202003-34
https://usn.ubuntu.com/4213-1/ Third Party Advisory
https://www.debian.org/security/2020/dsa-4682
http://www.squid-cache.org/Advisories/SQUID-2019_10.txt Third Party Advisory
http://www.squid-cache.org/Versions/v4/changesets/squid-4-671ba97abe929156dc4c717ee52ad22fba0f7443.patch Release Notes
https://bugzilla.suse.com/show_bug.cgi?id=1156323 Issue Tracking Third Party Advisory
https://github.com/squid-cache/squid/pull/445 Patch Third Party Advisory
https://lists.debian.org/debian-lts-announce/2019/12/msg00011.html Third Party Advisory
https://lists.debian.org/debian-lts-announce/2020/07/msg00009.html
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MTM74TU2BSLT5B3H4F3UDW53672NVLMC/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UEMOYTMCCFWK5NOXSXEIH5D2VGWVXR67/
https://security.gentoo.org/glsa/202003-34
https://usn.ubuntu.com/4213-1/ Third Party Advisory
https://www.debian.org/security/2020/dsa-4682
Configurations

Configuration 1 (hide)

OR cpe:2.3:a:squid-cache:squid:*:*:*:*:*:*:*:*
cpe:2.3:a:squid-cache:squid:*:*:*:*:*:*:*:*

Configuration 2 (hide)

OR cpe:2.3:o:canonical:ubuntu_linux:16.04:*:*:*:lts:*:*:*
cpe:2.3:o:canonical:ubuntu_linux:18.04:*:*:*:lts:*:*:*
cpe:2.3:o:canonical:ubuntu_linux:19.04:*:*:*:*:*:*:*
cpe:2.3:o:canonical:ubuntu_linux:19.10:*:*:*:*:*:*:*

Configuration 3 (hide)

OR cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*
cpe:2.3:o:fedoraproject:fedora:30:*:*:*:*:*:*:*
cpe:2.3:o:fedoraproject:fedora:31:*:*:*:*:*:*:*
History

No history.

Information

Published : 2019-11-26 17:15

Updated : 2024-11-21 04:33

NVD link : CVE-2019-18678

Mitre link : CVE-2019-18678

CVE.ORG link : CVE-2019-18678

JSON object : View

Products Affected

squid-cache

  • squid

fedoraproject

  • fedora

canonical

  • ubuntu_linux

debian

  • debian_linux
CWE
CWE-444

Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')