Lucene search

K

[email protected]NVD:CVE-2019-18677

HistoryNov 26, 2019 - 5:15 p.m.

CVE-2019-18677

2019-11-2617:15:12

CWE-352

[email protected]

web.nvd.nist.gov

1

5.8 Medium

CVSS2

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:M/Au:N/C:P/I:P/A:N

6.1 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

7.6 High

AI Score

Confidence

High

0.004 Low

EPSS

Percentile

73.7%

An issue was discovered in Squid 3.x and 4.x through 4.8 when the append_domain setting is used (because the appended characters do not properly interact with hostname length restrictions). Due to incorrect message processing, it can inappropriately redirect traffic to origins it should not be delivered to.

Affected configurations

NVD

Node

squid-cachesquidRange2.0–2.7

OR

squid-cachesquidRange3.0–3.5.28

OR

squid-cachesquidRange4.0–4.8

OR

squid-cachesquidMatch2.7stable2

OR

squid-cachesquidMatch2.7stable3

OR

squid-cachesquidMatch2.7stable4

OR

squid-cachesquidMatch2.7stable5

OR

squid-cachesquidMatch2.7stable6

OR

squid-cachesquidMatch2.7stable7

OR

squid-cachesquidMatch2.7stable8

OR

squid-cachesquidMatch2.7stable9

Node

canonicalubuntu_linuxMatch16.04lts

OR

canonicalubuntu_linuxMatch18.04lts

OR

canonicalubuntu_linuxMatch19.04

OR

canonicalubuntu_linuxMatch19.10

Node

fedoraprojectfedoraMatch30

OR

fedoraprojectfedoraMatch31

References

www.squid-cache.org/Advisories/SQUID-2019_9.txt

www.squid-cache.org/Versions/v3/3.5/changesets/squid-3.5-e5f1813a674848dde570f7920873e1071f96e0b4.patch

www.squid-cache.org/Versions/v4/changesets/squid-4-36492033ea4097821a4f7ff3ddcb971fbd1e8ba0.patch

bugzilla.suse.com/show_bug.cgi?id=1156328

github.com/squid-cache/squid/pull/427

lists.debian.org/debian-lts-announce/2019/12/msg00011.html

lists.debian.org/debian-lts-announce/2020/07/msg00009.html

lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MTM74TU2BSLT5B3H4F3UDW53672NVLMC/

lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UEMOYTMCCFWK5NOXSXEIH5D2VGWVXR67/

usn.ubuntu.com/4213-1/

www.debian.org/security/2020/dsa-4682

5.8 Medium

CVSS2

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:M/Au:N/C:P/I:P/A:N

6.1 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

7.6 High

AI Score

Confidence

High

0.004 Low

EPSS

Percentile

73.7%

Related for NVD:CVE-2019-18677

debiancve1 prion1 cvelist1 veracode1 osv6 redhatcve1 cve1 ubuntucve1 openvas17 nessus23 debian3 amazon2 fedora2 mageia1 ubuntu1 altlinux1 suse2 redhat1 rocky1 oraclelinux1 almalinux1 rosalinux1