2.6 Low
CVSS2
Access Vector
NETWORK
Access Complexity
HIGH
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:H/Au:N/C:N/I:P/A:N
0.017 Low
EPSS
Percentile
87.5%
Squid 3.2.x before 3.2.14, 3.3.x before 3.3.14, 3.4.x before 3.4.13, and
3.5.x before 3.5.4, when configured with client-first SSL-bump, do not
properly validate the domain or hostname fields of X.509 certificates,
which allows man-in-the-middle attackers to spoof SSL servers via a valid
certificate.
Author | Note |
---|---|
mdeslaur | only an issue if squid3 is built with --enable-ssl, which isn’t the case on debian/ubuntu for licensing reasons. However, we should probably fix this anyway as rebuilding the Ubuntu package locally to enable ssl is a common scenario. 3.1.x not affected |