6.5 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
HIGH
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
3.5 Low
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
SINGLE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:M/Au:S/C:N/I:P/A:N
Squid is vulnerable to HTTP request smuggling. An attacker is able to smuggle HTTP requests due to insecure data validation in the Content-Length
header. This vulnerability allows any client, including browser scripts, to bypass local security and poison the proxy cache and any downstream caches with content from an arbitrary source. When configured for relaxed header parsing (the default), Squid relays headers containing whitespace characters to upstream servers. When this occurs as a prefix to a Content-Length header, the frame length specified will be ignored by Squid (allowing for a conflicting length to be used from another Content-Length header) but relayed upstream.
lists.opensuse.org/opensuse-security-announce/2020-09/msg00012.html
lists.opensuse.org/opensuse-security-announce/2020-09/msg00017.html
github.com/squid-cache/squid/security/advisories/GHSA-3365-q9qx-f98m
lists.debian.org/debian-lts-announce/2020/10/msg00005.html
lists.fedoraproject.org/archives/list/[email protected]/message/BE6FKUN7IGTIR2MEEMWYDT7N5EJJLZI2/
lists.fedoraproject.org/archives/list/[email protected]/message/BMTFLVB7GLRF2CKGFPZ4G4R5DIIPHWI3/
lists.fedoraproject.org/archives/list/[email protected]/message/HJJDI7JQFGQLVNCKMVY64LAFMKERAOK7/
security.netapp.com/advisory/ntap-20210219-0007/
security.netapp.com/advisory/ntap-20210226-0006/
security.netapp.com/advisory/ntap-20210226-0007/
usn.ubuntu.com/4477-1/
usn.ubuntu.com/4551-1/
www.debian.org/security/2020/dsa-4751
6.5 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
HIGH
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
3.5 Low
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
SINGLE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:M/Au:S/C:N/I:P/A:N