5 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:L/Au:N/C:N/I:P/A:N
0.97 High
EPSS
Percentile
99.7%
The squid patches page notes:
This patch makes Squid considerably stricter while
parsing the HTTP protocol.
A Content-length header should only appear once in a
valid request or response. Multiple Content-length
headers, in conjunction with specially crafted requests,
may allow Squid’s cache to be poisoned with bad content
in certain situations.
CR characters is only allowed as part of the CR NL
line terminator, not alone. This to ensure that all
involved agrees on the structure of HTTP headers.
Rejects requests/responses that have whitespace in an
HTTP header name.
To enable these strict parsing rules, update to at least
squid-2.5.7_9 and specify relaxed_header_parser
off in squid.conf.