CVE-2019-18678

Published: Nov 26, 2019 Last Modified: Nov 21, 2024
ExploitDB:
Other exploit source:
Google Dorks:
MEDIUM 5,3
Source: [email protected]
Attack Vector: network
Attack Complexity: low
Privileges Required: none
User Interaction: none
Scope: unchanged
Confidentiality: none
Integrity: low
Availability: none
MEDIUM 5,0
Source: [email protected]
Access Vector: network
Access Complexity: low
Authentication: none
Confidentiality: none
Integrity: partial
Availability: none

Description

AI Translation Available

An issue was discovered in Squid 3.x and 4.x through 4.8. It allows attackers to smuggle HTTP requests through frontend software to a Squid instance that splits the HTTP Request pipeline differently. The resulting Response messages corrupt caches (between a client and Squid) with attacker-controlled content at arbitrary URLs. Effects are isolated to software between the attacker client and Squid. There are no effects on Squid itself, nor on any upstream servers. The issue is related to a request header containing whitespace between a header name and a colon.

EPSS (Exploit Prediction Scoring System)

Trend Analysis

EPSS (Exploit Prediction Scoring System)

Prevede la probabilità di sfruttamento basata su intelligence sulle minacce e sulle caratteristiche della vulnerabilità.

EPSS Score
0,0996
Percentile
0,9th
Updated

EPSS Score Trend (Last 90 Days)

444

Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')

Incomplete
Abstraction: Base Structure: Simple
Common Consequences
Security Scopes Affected:
Integrity Non-Repudiation Access Control
Potential Impacts:
Unexpected State Hide Activities Bypass Protection Mechanism
Applicable Platforms
Technologies: Web Based, Web Server
View CWE Details
Operating System

Ubuntu Linux by Canonical

Product Information
Vendor Canonical
Product Ubuntu Linux
Version 18.04
cpe:2.3:o:canonical:ubuntu_linux:18.04:*:*:*:lts:*:*:*
Common Platform Enumeration - Standardized vulnerability identification
Operating System

Fedora by Fedoraproject

Product Information
Vendor Fedoraproject
Product Fedora
Version 31
cpe:2.3:o:fedoraproject:fedora:31:*:*:*:*:*:*:*
Common Platform Enumeration - Standardized vulnerability identification
Operating System

Fedora by Fedoraproject

Product Information
Vendor Fedoraproject
Product Fedora
Version 30
cpe:2.3:o:fedoraproject:fedora:30:*:*:*:*:*:*:*
Common Platform Enumeration - Standardized vulnerability identification
Application

Squid by Squid-Cache

Product Information
Vendor Squid-Cache
Product Squid
Version Range Affected
From 4.0 (inclusive)
To 4.8 (inclusive)
cpe:2.3:a:squid-cache:squid:*:*:*:*:*:*:*:*
Common Platform Enumeration - Standardized vulnerability identification
Operating System

Ubuntu Linux by Canonical

Product Information
Vendor Canonical
Product Ubuntu Linux
Version 19.10
cpe:2.3:o:canonical:ubuntu_linux:19.10:*:*:*:*:*:*:*
Common Platform Enumeration - Standardized vulnerability identification
Operating System

Debian Linux by Debian

Product Information
Vendor Debian
Product Debian Linux
Version 8.0
cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*
Common Platform Enumeration - Standardized vulnerability identification
Operating System

Ubuntu Linux by Canonical

Product Information
Vendor Canonical
Product Ubuntu Linux
Version 19.04
cpe:2.3:o:canonical:ubuntu_linux:19.04:*:*:*:*:*:*:*
Common Platform Enumeration - Standardized vulnerability identification
Operating System

Ubuntu Linux by Canonical

Product Information
Vendor Canonical
Product Ubuntu Linux
Version 16.04
cpe:2.3:o:canonical:ubuntu_linux:16.04:*:*:*:lts:*:*:*
Common Platform Enumeration - Standardized vulnerability identification
Application

Squid by Squid-Cache

Product Information
Vendor Squid-Cache
Product Squid
Version Range Affected
From 3.0 (inclusive)
To 3.5.28 (inclusive)
cpe:2.3:a:squid-cache:squid:*:*:*:*:*:*:*:*
Common Platform Enumeration - Standardized vulnerability identification
https://bugzilla.suse.com/show_bug.cgi?id=1156323
Issue Tracking Third Party Advisory
https://bugzilla.suse.com/show_bug.cgi?id=1156323
https://github.com/squid-cache/squid/pull/445
Patch Third Party Advisory
https://github.com/squid-cache/squid/pull/445
https://lists.debian.org/debian-lts-announce/2019/12/msg000…
Third Party Advisory
https://lists.debian.org/debian-lts-announce/2019/12/msg00011.html
https://lists.debian.org/debian-lts-announce/2020/07/msg000…
https://lists.debian.org/debian-lts-announce/2020/07/msg00009.html
https://lists.fedoraproject.org/archives/list/package-annou…
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapr…
https://lists.fedoraproject.org/archives/list/package-annou…
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapr…
https://security.gentoo.org/glsa/202003-34
https://security.gentoo.org/glsa/202003-34
https://usn.ubuntu.com/4213-1/
Third Party Advisory
https://usn.ubuntu.com/4213-1/
https://www.debian.org/security/2020/dsa-4682
https://www.debian.org/security/2020/dsa-4682
http://www.squid-cache.org/Advisories/SQUID-2019_10.txt
Third Party Advisory
http://www.squid-cache.org/Advisories/SQUID-2019_10.txt
http://www.squid-cache.org/Versions/v4/changesets/squid-4-6…
Release Notes
http://www.squid-cache.org/Versions/v4/changesets/squid-4-671ba97abe929156dc4c7…
https://bugzilla.suse.com/show_bug.cgi?id=1156323
Issue Tracking Third Party Advisory
https://bugzilla.suse.com/show_bug.cgi?id=1156323
https://github.com/squid-cache/squid/pull/445
Patch Third Party Advisory
https://github.com/squid-cache/squid/pull/445
https://lists.debian.org/debian-lts-announce/2019/12/msg000…
Third Party Advisory
https://lists.debian.org/debian-lts-announce/2019/12/msg00011.html
https://lists.debian.org/debian-lts-announce/2020/07/msg000…
https://lists.debian.org/debian-lts-announce/2020/07/msg00009.html
https://lists.fedoraproject.org/archives/list/package-annou…
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapr…
https://lists.fedoraproject.org/archives/list/package-annou…
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapr…
https://security.gentoo.org/glsa/202003-34
https://security.gentoo.org/glsa/202003-34
https://usn.ubuntu.com/4213-1/
Third Party Advisory
https://usn.ubuntu.com/4213-1/
https://www.debian.org/security/2020/dsa-4682
https://www.debian.org/security/2020/dsa-4682
http://www.squid-cache.org/Advisories/SQUID-2019_10.txt
Third Party Advisory
http://www.squid-cache.org/Advisories/SQUID-2019_10.txt
http://www.squid-cache.org/Versions/v4/changesets/squid-4-6…
Release Notes
http://www.squid-cache.org/Versions/v4/changesets/squid-4-671ba97abe929156dc4c7…