Lucene search

K

[email protected]NVD:CVE-2020-15810

HistorySep 02, 2020 - 5:15 p.m.

CVE-2020-15810

2020-09-0217:15:11

CWE-444

[email protected]

web.nvd.nist.gov

3.5 Low

CVSS2

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

SINGLE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:M/Au:S/C:N/I:P/A:N

6.5 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N

7.2 High

AI Score

Confidence

High

0.002 Low

EPSS

Percentile

56.8%

An issue was discovered in Squid before 4.13 and 5.x before 5.0.4. Due to incorrect data validation, HTTP Request Smuggling attacks may succeed against HTTP and HTTPS traffic. This leads to cache poisoning. This allows any client, including browser scripts, to bypass local security and poison the proxy cache and any downstream caches with content from an arbitrary source. When configured for relaxed header parsing (the default), Squid relays headers containing whitespace characters to upstream servers. When this occurs as a prefix to a Content-Length header, the frame length specified will be ignored by Squid (allowing for a conflicting length to be used from another Content-Length header) but relayed upstream.

Affected configurations

NVD

Node

squid-cachesquidRange<4.13

OR

squid-cachesquidRange5.0–5.0.4

Node

canonicalubuntu_linuxMatch16.04lts

OR

canonicalubuntu_linuxMatch18.04lts

OR

canonicalubuntu_linuxMatch20.04lts

Node

debiandebian_linuxMatch9.0

OR

debiandebian_linuxMatch10.0

Node

fedoraprojectfedoraMatch31

OR

fedoraprojectfedoraMatch32

OR

fedoraprojectfedoraMatch33

Node

opensuseleapMatch15.1

OR

opensuseleapMatch15.2

References

lists.opensuse.org/opensuse-security-announce/2020-09/msg00012.html

lists.opensuse.org/opensuse-security-announce/2020-09/msg00017.html

github.com/squid-cache/squid/security/advisories/GHSA-3365-q9qx-f98m

lists.debian.org/debian-lts-announce/2020/10/msg00005.html

lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BE6FKUN7IGTIR2MEEMWYDT7N5EJJLZI2/

lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BMTFLVB7GLRF2CKGFPZ4G4R5DIIPHWI3/

lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HJJDI7JQFGQLVNCKMVY64LAFMKERAOK7/

security.netapp.com/advisory/ntap-20210219-0007/

security.netapp.com/advisory/ntap-20210226-0006/

security.netapp.com/advisory/ntap-20210226-0007/

usn.ubuntu.com/4477-1/

usn.ubuntu.com/4551-1/

www.debian.org/security/2020/dsa-4751

3.5 Low

CVSS2

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

SINGLE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:M/Au:S/C:N/I:P/A:N

6.5 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N

7.2 High

AI Score

Confidence

High

0.002 Low

EPSS

Percentile

56.8%

Related for NVD:CVE-2020-15810

cvelist1 cve1 ubuntucve1 debiancve1 veracode1 alpinelinux1 prion1 osv5 redhatcve1 redhat2 nessus35 rocky1 openvas20 debian3 mageia1 amazon2 fedora3 ubuntu2 suse2 oraclelinux2 centos1 rosalinux1 ibm1