Lucene search

K
cve[email protected]CVE-2004-0189
HistorySep 01, 2004 - 4:00 a.m.

CVE-2004-0189

2004-09-0104:00:00
web.nvd.nist.gov
21
cve-2004-0189
squid
url decoding
remote attack
security bypass
access control lists

6.2 Medium

AI Score

Confidence

Low

7.5 High

CVSS2

Access Vector

Access Complexity

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:P/A:P

0.027 Low

EPSS

Percentile

90.5%

The “%xx” URL decoding function in Squid 2.5STABLE4 and earlier allows remote attackers to bypass url_regex ACLs via a URL with a NULL (“%00”) character, which causes Squid to use only a portion of the requested URL when comparing it against the access control lists.

Affected configurations

NVD
Node
squidsquidMatch2.0_patch2
OR
squidsquidMatch2.1_patch2
OR
squidsquidMatch2.3_stable5
OR
squidsquidMatch2.4
OR
squidsquidMatch2.4_stable7
OR
squidsquidMatch2.5_stable3
OR
squidsquidMatch2.5_stable4

6.2 Medium

AI Score

Confidence

Low

7.5 High

CVSS2

Access Vector

Access Complexity

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:P/A:P

0.027 Low

EPSS

Percentile

90.5%