Vulnerability-Lookup

CVE-2020-15049 (GCVE-0-2020-15049)

Vulnerability from cvelistv5 – Published: 2020-06-30 17:55 – Updated: 2024-08-04 13:08

Summary

An issue was discovered in http/ContentLengthInterpreter.cc in Squid before 4.12 and 5.x before 5.0.3. A Request Smuggling and Poisoning attack can succeed against the HTTP cache. The client sends an HTTP request with a Content-Length header containing "+\ "-" or an uncommon shell whitespace character prefix to the length field-value.

Severity ?

9.9 (Critical)


                        
                          CVSS:3.1/AC:L/AV:N/A:H/C:H/I:H/PR:L/S:C/UI:N

CWE

Assigner

mitre

References

10 references

URL	Tags
http://www.squid-cache.org/Versions/v4/changesets…	x_refsource_MISC
http://www.squid-cache.org/Versions/v5/changesets…	x_refsource_MISC
https://github.com/squid-cache/squid/security/adv…	x_refsource_CONFIRM
https://lists.fedoraproject.org/archives/list/pac…	vendor-advisoryx_refsource_FEDORA
https://www.debian.org/security/2020/dsa-4732	vendor-advisoryx_refsource_DEBIAN
http://lists.opensuse.org/opensuse-security-annou…	vendor-advisoryx_refsource_SUSE
http://lists.opensuse.org/opensuse-security-annou…	vendor-advisoryx_refsource_SUSE
https://usn.ubuntu.com/4551-1/	vendor-advisoryx_refsource_UBUNTU
https://lists.debian.org/debian-lts-announce/2020…	mailing-listx_refsource_MLIST
https://security.netapp.com/advisory/ntap-2021031…	x_refsource_CONFIRM

Date Public ?

2020-06-26 00:00

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-04T13:08:21.396Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "http://www.squid-cache.org/Versions/v4/changesets/squid-4-ea12a34d338b962707d5078d6d1fc7c6eb119a22.patch"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "http://www.squid-cache.org/Versions/v5/changesets/squid-5-485c9a7bb1bba88754e07ad0094647ea57a6eb8d.patch"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://github.com/squid-cache/squid/security/advisories/GHSA-qf3v-rc95-96j5"
          },
          {
            "name": "FEDORA-2020-cbebc5617e",
            "tags": [
              "vendor-advisory",
              "x_refsource_FEDORA",
              "x_transferred"
            ],
            "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/3RG5FGSTCAYVIJPJHIY3MRZ7NFT6HDO7/"
          },
          {
            "name": "DSA-4732",
            "tags": [
              "vendor-advisory",
              "x_refsource_DEBIAN",
              "x_transferred"
            ],
            "url": "https://www.debian.org/security/2020/dsa-4732"
          },
          {
            "name": "openSUSE-SU-2020:1346",
            "tags": [
              "vendor-advisory",
              "x_refsource_SUSE",
              "x_transferred"
            ],
            "url": "http://lists.opensuse.org/opensuse-security-announce/2020-09/msg00012.html"
          },
          {
            "name": "openSUSE-SU-2020:1369",
            "tags": [
              "vendor-advisory",
              "x_refsource_SUSE",
              "x_transferred"
            ],
            "url": "http://lists.opensuse.org/opensuse-security-announce/2020-09/msg00017.html"
          },
          {
            "name": "USN-4551-1",
            "tags": [
              "vendor-advisory",
              "x_refsource_UBUNTU",
              "x_transferred"
            ],
            "url": "https://usn.ubuntu.com/4551-1/"
          },
          {
            "name": "[debian-lts-announce] 20201002 [SECURITY] [DLA 2394-1] squid3 security update",
            "tags": [
              "mailing-list",
              "x_refsource_MLIST",
              "x_transferred"
            ],
            "url": "https://lists.debian.org/debian-lts-announce/2020/10/msg00005.html"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://security.netapp.com/advisory/ntap-20210312-0001/"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "n/a",
          "vendor": "n/a",
          "versions": [
            {
              "status": "affected",
              "version": "n/a"
            }
          ]
        }
      ],
      "datePublic": "2020-06-26T00:00:00.000Z",
      "descriptions": [
        {
          "lang": "en",
          "value": "An issue was discovered in http/ContentLengthInterpreter.cc in Squid before 4.12 and 5.x before 5.0.3. A Request Smuggling and Poisoning attack can succeed against the HTTP cache. The client sends an HTTP request with a Content-Length header containing \"+\\ \"-\" or an uncommon shell whitespace character prefix to the length field-value."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 9.9,
            "baseSeverity": "CRITICAL",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "LOW",
            "scope": "CHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AC:L/AV:N/A:H/C:H/I:H/PR:L/S:C/UI:N",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "n/a",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2021-03-12T12:06:30.000Z",
        "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
        "shortName": "mitre"
      },
      "references": [
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "http://www.squid-cache.org/Versions/v4/changesets/squid-4-ea12a34d338b962707d5078d6d1fc7c6eb119a22.patch"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "http://www.squid-cache.org/Versions/v5/changesets/squid-5-485c9a7bb1bba88754e07ad0094647ea57a6eb8d.patch"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/squid-cache/squid/security/advisories/GHSA-qf3v-rc95-96j5"
        },
        {
          "name": "FEDORA-2020-cbebc5617e",
          "tags": [
            "vendor-advisory",
            "x_refsource_FEDORA"
          ],
          "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/3RG5FGSTCAYVIJPJHIY3MRZ7NFT6HDO7/"
        },
        {
          "name": "DSA-4732",
          "tags": [
            "vendor-advisory",
            "x_refsource_DEBIAN"
          ],
          "url": "https://www.debian.org/security/2020/dsa-4732"
        },
        {
          "name": "openSUSE-SU-2020:1346",
          "tags": [
            "vendor-advisory",
            "x_refsource_SUSE"
          ],
          "url": "http://lists.opensuse.org/opensuse-security-announce/2020-09/msg00012.html"
        },
        {
          "name": "openSUSE-SU-2020:1369",
          "tags": [
            "vendor-advisory",
            "x_refsource_SUSE"
          ],
          "url": "http://lists.opensuse.org/opensuse-security-announce/2020-09/msg00017.html"
        },
        {
          "name": "USN-4551-1",
          "tags": [
            "vendor-advisory",
            "x_refsource_UBUNTU"
          ],
          "url": "https://usn.ubuntu.com/4551-1/"
        },
        {
          "name": "[debian-lts-announce] 20201002 [SECURITY] [DLA 2394-1] squid3 security update",
          "tags": [
            "mailing-list",
            "x_refsource_MLIST"
          ],
          "url": "https://lists.debian.org/debian-lts-announce/2020/10/msg00005.html"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://security.netapp.com/advisory/ntap-20210312-0001/"
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "cve@mitre.org",
          "ID": "CVE-2020-15049",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "n/a",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "n/a"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "n/a"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "An issue was discovered in http/ContentLengthInterpreter.cc in Squid before 4.12 and 5.x before 5.0.3. A Request Smuggling and Poisoning attack can succeed against the HTTP cache. The client sends an HTTP request with a Content-Length header containing \"+\\ \"-\" or an uncommon shell whitespace character prefix to the length field-value."
            }
          ]
        },
        "impact": {
          "cvss": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "LOW",
            "scope": "CHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AC:L/AV:N/A:H/C:H/I:H/PR:L/S:C/UI:N",
            "version": "3.0"
          }
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "n/a"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "http://www.squid-cache.org/Versions/v4/changesets/squid-4-ea12a34d338b962707d5078d6d1fc7c6eb119a22.patch",
              "refsource": "MISC",
              "url": "http://www.squid-cache.org/Versions/v4/changesets/squid-4-ea12a34d338b962707d5078d6d1fc7c6eb119a22.patch"
            },
            {
              "name": "http://www.squid-cache.org/Versions/v5/changesets/squid-5-485c9a7bb1bba88754e07ad0094647ea57a6eb8d.patch",
              "refsource": "MISC",
              "url": "http://www.squid-cache.org/Versions/v5/changesets/squid-5-485c9a7bb1bba88754e07ad0094647ea57a6eb8d.patch"
            },
            {
              "name": "https://github.com/squid-cache/squid/security/advisories/GHSA-qf3v-rc95-96j5",
              "refsource": "CONFIRM",
              "url": "https://github.com/squid-cache/squid/security/advisories/GHSA-qf3v-rc95-96j5"
            },
            {
              "name": "FEDORA-2020-cbebc5617e",
              "refsource": "FEDORA",
              "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/3RG5FGSTCAYVIJPJHIY3MRZ7NFT6HDO7/"
            },
            {
              "name": "DSA-4732",
              "refsource": "DEBIAN",
              "url": "https://www.debian.org/security/2020/dsa-4732"
            },
            {
              "name": "openSUSE-SU-2020:1346",
              "refsource": "SUSE",
              "url": "http://lists.opensuse.org/opensuse-security-announce/2020-09/msg00012.html"
            },
            {
              "name": "openSUSE-SU-2020:1369",
              "refsource": "SUSE",
              "url": "http://lists.opensuse.org/opensuse-security-announce/2020-09/msg00017.html"
            },
            {
              "name": "USN-4551-1",
              "refsource": "UBUNTU",
              "url": "https://usn.ubuntu.com/4551-1/"
            },
            {
              "name": "[debian-lts-announce] 20201002 [SECURITY] [DLA 2394-1] squid3 security update",
              "refsource": "MLIST",
              "url": "https://lists.debian.org/debian-lts-announce/2020/10/msg00005.html"
            },
            {
              "name": "https://security.netapp.com/advisory/ntap-20210312-0001/",
              "refsource": "CONFIRM",
              "url": "https://security.netapp.com/advisory/ntap-20210312-0001/"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
    "assignerShortName": "mitre",
    "cveId": "CVE-2020-15049",
    "datePublished": "2020-06-30T17:55:55.000Z",
    "dateReserved": "2020-06-25T00:00:00.000Z",
    "dateUpdated": "2024-08-04T13:08:21.396Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "epss": {
      "cve": "CVE-2020-15049",
      "date": "2026-05-24",
      "epss": "0.15653",
      "percentile": "0.94791"
    },
    "fkie_nvd": {
      "configurations": "[{\"nodes\": [{\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:squid-cache:squid:*:*:*:*:*:*:*:*\", \"versionStartIncluding\": \"2.0\", \"versionEndIncluding\": \"2.6\", \"matchCriteriaId\": \"357FB8EB-55D7-40D8-918A-F8F2C1B6182A\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:squid-cache:squid:*:*:*:*:*:*:*:*\", \"versionStartIncluding\": \"3.1\", \"versionEndIncluding\": \"3.5.28\", \"matchCriteriaId\": \"E3828B8E-1FF7-4707-BB24-6C7CABC37362\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:squid-cache:squid:*:*:*:*:*:*:*:*\", \"versionStartIncluding\": \"4.0\", \"versionEndExcluding\": \"4.12\", \"matchCriteriaId\": \"C3430B4A-4E1E-438D-9C84-4CFED6A3F023\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:squid-cache:squid:*:*:*:*:*:*:*:*\", \"versionStartIncluding\": \"5.0\", \"versionEndExcluding\": \"5.0.3\", \"matchCriteriaId\": \"137B599B-80D1-4903-8791-40F11BC3FCD9\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:squid-cache:squid:2.7:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"35C30CB9-FA3A-408D-A8B0-8805E75657BE\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:squid-cache:squid:2.7:stable2:*:*:*:*:*:*\", \"matchCriteriaId\": \"EFBB466C-C679-4B4B-87C2-E7853E5B3F04\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:squid-cache:squid:2.7:stable3:*:*:*:*:*:*\", \"matchCriteriaId\": \"A03692DD-779F-4E3C-861C-29943870A816\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:squid-cache:squid:2.7:stable4:*:*:*:*:*:*\", \"matchCriteriaId\": \"79FF6B3C-A3CE-4AA2-80F9-44D05A6B2F08\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:squid-cache:squid:2.7:stable5:*:*:*:*:*:*\", \"matchCriteriaId\": \"3CF6E367-D33B-4B60-8C40-4618C47D53E8\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:squid-cache:squid:2.7:stable6:*:*:*:*:*:*\", \"matchCriteriaId\": \"0FA1F4FE-629C-4489-A13C-017A824C840F\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:squid-cache:squid:2.7:stable7:*:*:*:*:*:*\", \"matchCriteriaId\": \"2479C5BF-94E1-4153-9FA3-333BC00F01D6\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:squid-cache:squid:2.7:stable8:*:*:*:*:*:*\", \"matchCriteriaId\": \"8ABFCCCC-7584-466E-97CC-6EBD3934A70E\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:squid-cache:squid:2.7:stable9:*:*:*:*:*:*\", \"matchCriteriaId\": \"F17E49BF-FB11-4EE6-B6AC-30914F381B2F\"}]}]}, {\"nodes\": [{\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": true, \"criteria\": \"cpe:2.3:o:fedoraproject:fedora:31:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"80F0FA5D-8D3B-4C0E-81E2-87998286AF33\"}]}]}]",
      "descriptions": "[{\"lang\": \"en\", \"value\": \"An issue was discovered in http/ContentLengthInterpreter.cc in Squid before 4.12 and 5.x before 5.0.3. A Request Smuggling and Poisoning attack can succeed against the HTTP cache. The client sends an HTTP request with a Content-Length header containing \\\"+\\\\ \\\"-\\\" or an uncommon shell whitespace character prefix to the length field-value.\"}, {\"lang\": \"es\", \"value\": \"Se detect\\u00f3 un problema en el archivo http/ContentLengthInterpreter.cc en Squid versiones anteriores a 4.12 y versiones 5.x anteriores a 5.0.3. Un ataque de Trafico No Autorizado de Peticiones y Envenenamiento puede tener \\u00e9xito contra la memoria cach\\u00e9 HTTP. El cliente env\\u00eda una petici\\u00f3n HTTP con un encabezado Content-Length que contiene \\\"+\\\\\\\"-\\\" o un prefijo del car\\u00e1cter espacio en blanco de shell poco com\\u00fan en el valor de campo de longitud\"}]",
      "id": "CVE-2020-15049",
      "lastModified": "2024-11-21T05:04:41.830",
      "metrics": "{\"cvssMetricV31\": [{\"source\": \"cve@mitre.org\", \"type\": \"Secondary\", \"cvssData\": {\"version\": \"3.1\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H\", \"baseScore\": 9.9, \"baseSeverity\": \"CRITICAL\", \"attackVector\": \"NETWORK\", \"attackComplexity\": \"LOW\", \"privilegesRequired\": \"LOW\", \"userInteraction\": \"NONE\", \"scope\": \"CHANGED\", \"confidentialityImpact\": \"HIGH\", \"integrityImpact\": \"HIGH\", \"availabilityImpact\": \"HIGH\"}, \"exploitabilityScore\": 3.1, \"impactScore\": 6.0}, {\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"cvssData\": {\"version\": \"3.1\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\", \"baseScore\": 8.8, \"baseSeverity\": \"HIGH\", \"attackVector\": \"NETWORK\", \"attackComplexity\": \"LOW\", \"privilegesRequired\": \"LOW\", \"userInteraction\": \"NONE\", \"scope\": \"UNCHANGED\", \"confidentialityImpact\": \"HIGH\", \"integrityImpact\": \"HIGH\", \"availabilityImpact\": \"HIGH\"}, \"exploitabilityScore\": 2.8, \"impactScore\": 5.9}], \"cvssMetricV2\": [{\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"cvssData\": {\"version\": \"2.0\", \"vectorString\": \"AV:N/AC:L/Au:S/C:P/I:P/A:P\", \"baseScore\": 6.5, \"accessVector\": \"NETWORK\", \"accessComplexity\": \"LOW\", \"authentication\": \"SINGLE\", \"confidentialityImpact\": \"PARTIAL\", \"integrityImpact\": \"PARTIAL\", \"availabilityImpact\": \"PARTIAL\"}, \"baseSeverity\": \"MEDIUM\", \"exploitabilityScore\": 8.0, \"impactScore\": 6.4, \"acInsufInfo\": false, \"obtainAllPrivilege\": false, \"obtainUserPrivilege\": false, \"obtainOtherPrivilege\": false, \"userInteractionRequired\": false}]}",
      "published": "2020-06-30T18:15:12.367",
      "references": "[{\"url\": \"http://lists.opensuse.org/opensuse-security-announce/2020-09/msg00012.html\", \"source\": \"cve@mitre.org\"}, {\"url\": \"http://lists.opensuse.org/opensuse-security-announce/2020-09/msg00017.html\", \"source\": \"cve@mitre.org\"}, {\"url\": \"http://www.squid-cache.org/Versions/v4/changesets/squid-4-ea12a34d338b962707d5078d6d1fc7c6eb119a22.patch\", \"source\": \"cve@mitre.org\", \"tags\": [\"Patch\", \"Vendor Advisory\"]}, {\"url\": \"http://www.squid-cache.org/Versions/v5/changesets/squid-5-485c9a7bb1bba88754e07ad0094647ea57a6eb8d.patch\", \"source\": \"cve@mitre.org\", \"tags\": [\"Patch\", \"Vendor Advisory\"]}, {\"url\": \"https://github.com/squid-cache/squid/security/advisories/GHSA-qf3v-rc95-96j5\", \"source\": \"cve@mitre.org\", \"tags\": [\"Third Party Advisory\"]}, {\"url\": \"https://lists.debian.org/debian-lts-announce/2020/10/msg00005.html\", \"source\": \"cve@mitre.org\"}, {\"url\": \"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/3RG5FGSTCAYVIJPJHIY3MRZ7NFT6HDO7/\", \"source\": \"cve@mitre.org\"}, {\"url\": \"https://security.netapp.com/advisory/ntap-20210312-0001/\", \"source\": \"cve@mitre.org\"}, {\"url\": \"https://usn.ubuntu.com/4551-1/\", \"source\": \"cve@mitre.org\"}, {\"url\": \"https://www.debian.org/security/2020/dsa-4732\", \"source\": \"cve@mitre.org\"}, {\"url\": \"http://lists.opensuse.org/opensuse-security-announce/2020-09/msg00012.html\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"http://lists.opensuse.org/opensuse-security-announce/2020-09/msg00017.html\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"http://www.squid-cache.org/Versions/v4/changesets/squid-4-ea12a34d338b962707d5078d6d1fc7c6eb119a22.patch\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Patch\", \"Vendor Advisory\"]}, {\"url\": \"http://www.squid-cache.org/Versions/v5/changesets/squid-5-485c9a7bb1bba88754e07ad0094647ea57a6eb8d.patch\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Patch\", \"Vendor Advisory\"]}, {\"url\": \"https://github.com/squid-cache/squid/security/advisories/GHSA-qf3v-rc95-96j5\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Third Party Advisory\"]}, {\"url\": \"https://lists.debian.org/debian-lts-announce/2020/10/msg00005.html\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/3RG5FGSTCAYVIJPJHIY3MRZ7NFT6HDO7/\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"https://security.netapp.com/advisory/ntap-20210312-0001/\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"https://usn.ubuntu.com/4551-1/\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"https://www.debian.org/security/2020/dsa-4732\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}]",
      "sourceIdentifier": "cve@mitre.org",
      "vulnStatus": "Modified",
      "weaknesses": "[{\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-444\"}]}]"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2020-15049\",\"sourceIdentifier\":\"cve@mitre.org\",\"published\":\"2020-06-30T18:15:12.367\",\"lastModified\":\"2024-11-21T05:04:41.830\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"An issue was discovered in http/ContentLengthInterpreter.cc in Squid before 4.12 and 5.x before 5.0.3. A Request Smuggling and Poisoning attack can succeed against the HTTP cache. The client sends an HTTP request with a Content-Length header containing \\\"+\\\\ \\\"-\\\" or an uncommon shell whitespace character prefix to the length field-value.\"},{\"lang\":\"es\",\"value\":\"Se detect\u00f3 un problema en el archivo http/ContentLengthInterpreter.cc en Squid versiones anteriores a 4.12 y versiones 5.x anteriores a 5.0.3. Un ataque de Trafico No Autorizado de Peticiones y Envenenamiento puede tener \u00e9xito contra la memoria cach\u00e9 HTTP. El cliente env\u00eda una petici\u00f3n HTTP con un encabezado Content-Length que contiene \\\"+\\\\\\\"-\\\" o un prefijo del car\u00e1cter espacio en blanco de shell poco com\u00fan en el valor de campo de longitud\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"cve@mitre.org\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H\",\"baseScore\":9.9,\"baseSeverity\":\"CRITICAL\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"CHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":3.1,\"impactScore\":6.0},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\",\"baseScore\":8.8,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":2.8,\"impactScore\":5.9}],\"cvssMetricV2\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"2.0\",\"vectorString\":\"AV:N/AC:L/Au:S/C:P/I:P/A:P\",\"baseScore\":6.5,\"accessVector\":\"NETWORK\",\"accessComplexity\":\"LOW\",\"authentication\":\"SINGLE\",\"confidentialityImpact\":\"PARTIAL\",\"integrityImpact\":\"PARTIAL\",\"availabilityImpact\":\"PARTIAL\"},\"baseSeverity\":\"MEDIUM\",\"exploitabilityScore\":8.0,\"impactScore\":6.4,\"acInsufInfo\":false,\"obtainAllPrivilege\":false,\"obtainUserPrivilege\":false,\"obtainOtherPrivilege\":false,\"userInteractionRequired\":false}]},\"weaknesses\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-444\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:squid-cache:squid:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"2.0\",\"versionEndIncluding\":\"2.6\",\"matchCriteriaId\":\"357FB8EB-55D7-40D8-918A-F8F2C1B6182A\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:squid-cache:squid:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"3.1\",\"versionEndIncluding\":\"3.5.28\",\"matchCriteriaId\":\"E3828B8E-1FF7-4707-BB24-6C7CABC37362\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:squid-cache:squid:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"4.0\",\"versionEndExcluding\":\"4.12\",\"matchCriteriaId\":\"C3430B4A-4E1E-438D-9C84-4CFED6A3F023\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:squid-cache:squid:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"5.0\",\"versionEndExcluding\":\"5.0.3\",\"matchCriteriaId\":\"137B599B-80D1-4903-8791-40F11BC3FCD9\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:squid-cache:squid:2.7:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"35C30CB9-FA3A-408D-A8B0-8805E75657BE\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:squid-cache:squid:2.7:stable2:*:*:*:*:*:*\",\"matchCriteriaId\":\"EFBB466C-C679-4B4B-87C2-E7853E5B3F04\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:squid-cache:squid:2.7:stable3:*:*:*:*:*:*\",\"matchCriteriaId\":\"A03692DD-779F-4E3C-861C-29943870A816\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:squid-cache:squid:2.7:stable4:*:*:*:*:*:*\",\"matchCriteriaId\":\"79FF6B3C-A3CE-4AA2-80F9-44D05A6B2F08\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:squid-cache:squid:2.7:stable5:*:*:*:*:*:*\",\"matchCriteriaId\":\"3CF6E367-D33B-4B60-8C40-4618C47D53E8\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:squid-cache:squid:2.7:stable6:*:*:*:*:*:*\",\"matchCriteriaId\":\"0FA1F4FE-629C-4489-A13C-017A824C840F\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:squid-cache:squid:2.7:stable7:*:*:*:*:*:*\",\"matchCriteriaId\":\"2479C5BF-94E1-4153-9FA3-333BC00F01D6\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:squid-cache:squid:2.7:stable8:*:*:*:*:*:*\",\"matchCriteriaId\":\"8ABFCCCC-7584-466E-97CC-6EBD3934A70E\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:squid-cache:squid:2.7:stable9:*:*:*:*:*:*\",\"matchCriteriaId\":\"F17E49BF-FB11-4EE6-B6AC-30914F381B2F\"}]}]},{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:fedoraproject:fedora:31:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"80F0FA5D-8D3B-4C0E-81E2-87998286AF33\"}]}]}],\"references\":[{\"url\":\"http://lists.opensuse.org/opensuse-security-announce/2020-09/msg00012.html\",\"source\":\"cve@mitre.org\"},{\"url\":\"http://lists.opensuse.org/opensuse-security-announce/2020-09/msg00017.html\",\"source\":\"cve@mitre.org\"},{\"url\":\"http://www.squid-cache.org/Versions/v4/changesets/squid-4-ea12a34d338b962707d5078d6d1fc7c6eb119a22.patch\",\"source\":\"cve@mitre.org\",\"tags\":[\"Patch\",\"Vendor Advisory\"]},{\"url\":\"http://www.squid-cache.org/Versions/v5/changesets/squid-5-485c9a7bb1bba88754e07ad0094647ea57a6eb8d.patch\",\"source\":\"cve@mitre.org\",\"tags\":[\"Patch\",\"Vendor Advisory\"]},{\"url\":\"https://github.com/squid-cache/squid/security/advisories/GHSA-qf3v-rc95-96j5\",\"source\":\"cve@mitre.org\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://lists.debian.org/debian-lts-announce/2020/10/msg00005.html\",\"source\":\"cve@mitre.org\"},{\"url\":\"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/3RG5FGSTCAYVIJPJHIY3MRZ7NFT6HDO7/\",\"source\":\"cve@mitre.org\"},{\"url\":\"https://security.netapp.com/advisory/ntap-20210312-0001/\",\"source\":\"cve@mitre.org\"},{\"url\":\"https://usn.ubuntu.com/4551-1/\",\"source\":\"cve@mitre.org\"},{\"url\":\"https://www.debian.org/security/2020/dsa-4732\",\"source\":\"cve@mitre.org\"},{\"url\":\"http://lists.opensuse.org/opensuse-security-announce/2020-09/msg00012.html\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"http://lists.opensuse.org/opensuse-security-announce/2020-09/msg00017.html\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"http://www.squid-cache.org/Versions/v4/changesets/squid-4-ea12a34d338b962707d5078d6d1fc7c6eb119a22.patch\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Patch\",\"Vendor Advisory\"]},{\"url\":\"http://www.squid-cache.org/Versions/v5/changesets/squid-5-485c9a7bb1bba88754e07ad0094647ea57a6eb8d.patch\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Patch\",\"Vendor Advisory\"]},{\"url\":\"https://github.com/squid-cache/squid/security/advisories/GHSA-qf3v-rc95-96j5\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://lists.debian.org/debian-lts-announce/2020/10/msg00005.html\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/3RG5FGSTCAYVIJPJHIY3MRZ7NFT6HDO7/\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://security.netapp.com/advisory/ntap-20210312-0001/\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://usn.ubuntu.com/4551-1/\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://www.debian.org/security/2020/dsa-4732\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"}]}}"
  }
}

CERTFR-2020-AVI-393

Vulnerability from certfr_avis - Published: - Updated:

Une vulnérabilité a été découverte dans Squid. Elle permet à un attaquant de provoquer un contournement de la politique de sécurité et une atteinte à l'intégrité des données.

Solution

Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).

None

Impacted products

	Vendor	Product	Description
	Squid	Squid	Squid versions antérieures à 4.12
	Squid	Squid	Squid versions 5.0.x antérieures à 5.0.3

References

Title

Publication Time

Tags

Bulletin de sécurité Squid du 26 juin 2020

None

vendor-advisory

Show details on source website

JSON

To clipboard

{
  "$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
  "affected_systems": [
    {
      "description": "Squid versions ant\u00e9rieures \u00e0 4.12",
      "product": {
        "name": "Squid",
        "vendor": {
          "name": "Squid",
          "scada": false
        }
      }
    },
    {
      "description": "Squid versions 5.0.x ant\u00e9rieures \u00e0 5.0.3",
      "product": {
        "name": "Squid",
        "vendor": {
          "name": "Squid",
          "scada": false
        }
      }
    }
  ],
  "affected_systems_content": null,
  "content": "## Solution\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des\ncorrectifs (cf. section Documentation).\n",
  "cves": [
    {
      "name": "CVE-2020-15049",
      "url": "https://www.cve.org/CVERecord?id=CVE-2020-15049"
    }
  ],
  "links": [],
  "reference": "CERTFR-2020-AVI-393",
  "revisions": [
    {
      "description": "Version initiale",
      "revision_date": "2020-06-29T00:00:00.000000"
    }
  ],
  "risks": [
    {
      "description": "Atteinte \u00e0 l\u0027int\u00e9grit\u00e9 des donn\u00e9es"
    },
    {
      "description": "Contournement de la politique de s\u00e9curit\u00e9"
    }
  ],
  "summary": "Une vuln\u00e9rabilit\u00e9 a \u00e9t\u00e9 d\u00e9couverte dans Squid. Elle permet \u00e0 un\nattaquant de provoquer un contournement de la politique de s\u00e9curit\u00e9 et\nune atteinte \u00e0 l\u0027int\u00e9grit\u00e9 des donn\u00e9es.\n",
  "title": "Vuln\u00e9rabilit\u00e9 dans Squid",
  "vendor_advisories": [
    {
      "published_at": null,
      "title": "Bulletin de s\u00e9curit\u00e9 Squid du 26 juin 2020",
      "url": "https://github.com/squid-cache/squid/security/advisories/GHSA-qf3v-rc95-96j5"
    }
  ]
}

CERTFR-2021-AVI-700

Vulnerability from certfr_avis - Published: - Updated:

De multiples vulnérabilités ont été découvertes dans les produits IBM. Certaines d'entre elles permettent à un attaquant de provoquer une exécution de code arbitraire à distance, un déni de service à distance et un contournement de la politique de sécurité.

Solution

Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).

None

Impacted products

	Vendor	Product	Description
	IBM	N/A	IBM Security Guardium version 11.2 sans le dernier correctif
	IBM	N/A	IBM Security Guardium version 11.3 sans le dernier correctif

References

Title

Publication Time

Tags

Bulletin de sécurité IBM 6455281 du 13 septembre 2021

None

vendor-advisory

Show details on source website

JSON

To clipboard

{
  "$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
  "affected_systems": [
    {
      "description": "IBM Security Guardium version 11.2 sans le dernier correctif",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "IBM",
          "scada": false
        }
      }
    },
    {
      "description": "IBM Security Guardium version 11.3 sans le dernier correctif",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "IBM",
          "scada": false
        }
      }
    }
  ],
  "affected_systems_content": null,
  "content": "## Solution\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des\ncorrectifs (cf. section Documentation).\n",
  "cves": [
    {
      "name": "CVE-2019-12749",
      "url": "https://www.cve.org/CVERecord?id=CVE-2019-12749"
    },
    {
      "name": "CVE-2020-24606",
      "url": "https://www.cve.org/CVERecord?id=CVE-2020-24606"
    },
    {
      "name": "CVE-2019-14866",
      "url": "https://www.cve.org/CVERecord?id=CVE-2019-14866"
    },
    {
      "name": "CVE-2021-20428",
      "url": "https://www.cve.org/CVERecord?id=CVE-2021-20428"
    },
    {
      "name": "CVE-2019-5094",
      "url": "https://www.cve.org/CVERecord?id=CVE-2019-5094"
    },
    {
      "name": "CVE-2020-8450",
      "url": "https://www.cve.org/CVERecord?id=CVE-2020-8450"
    },
    {
      "name": "CVE-2019-19956",
      "url": "https://www.cve.org/CVERecord?id=CVE-2019-19956"
    },
    {
      "name": "CVE-2021-21285",
      "url": "https://www.cve.org/CVERecord?id=CVE-2021-21285"
    },
    {
      "name": "CVE-2020-8177",
      "url": "https://www.cve.org/CVERecord?id=CVE-2020-8177"
    },
    {
      "name": "CVE-2020-15049",
      "url": "https://www.cve.org/CVERecord?id=CVE-2020-15049"
    },
    {
      "name": "CVE-2019-12450",
      "url": "https://www.cve.org/CVERecord?id=CVE-2019-12450"
    },
    {
      "name": "CVE-2020-10754",
      "url": "https://www.cve.org/CVERecord?id=CVE-2020-10754"
    },
    {
      "name": "CVE-2020-13401",
      "url": "https://www.cve.org/CVERecord?id=CVE-2020-13401"
    },
    {
      "name": "CVE-2019-20388",
      "url": "https://www.cve.org/CVERecord?id=CVE-2019-20388"
    },
    {
      "name": "CVE-2019-14822",
      "url": "https://www.cve.org/CVERecord?id=CVE-2019-14822"
    },
    {
      "name": "CVE-2019-10785",
      "url": "https://www.cve.org/CVERecord?id=CVE-2019-10785"
    },
    {
      "name": "CVE-2021-20385",
      "url": "https://www.cve.org/CVERecord?id=CVE-2021-20385"
    },
    {
      "name": "CVE-2020-7595",
      "url": "https://www.cve.org/CVERecord?id=CVE-2020-7595"
    },
    {
      "name": "CVE-2020-5259",
      "url": "https://www.cve.org/CVERecord?id=CVE-2020-5259"
    },
    {
      "name": "CVE-2019-11719",
      "url": "https://www.cve.org/CVERecord?id=CVE-2019-11719"
    },
    {
      "name": "CVE-2019-12528",
      "url": "https://www.cve.org/CVERecord?id=CVE-2019-12528"
    },
    {
      "name": "CVE-2021-3156",
      "url": "https://www.cve.org/CVERecord?id=CVE-2021-3156"
    },
    {
      "name": "CVE-2020-15810",
      "url": "https://www.cve.org/CVERecord?id=CVE-2020-15810"
    },
    {
      "name": "CVE-2020-15811",
      "url": "https://www.cve.org/CVERecord?id=CVE-2020-15811"
    },
    {
      "name": "CVE-2020-8449",
      "url": "https://www.cve.org/CVERecord?id=CVE-2020-8449"
    },
    {
      "name": "CVE-2021-20426",
      "url": "https://www.cve.org/CVERecord?id=CVE-2021-20426"
    },
    {
      "name": "CVE-2020-12825",
      "url": "https://www.cve.org/CVERecord?id=CVE-2020-12825"
    },
    {
      "name": "CVE-2021-20419",
      "url": "https://www.cve.org/CVERecord?id=CVE-2021-20419"
    },
    {
      "name": "CVE-2019-5482",
      "url": "https://www.cve.org/CVERecord?id=CVE-2019-5482"
    },
    {
      "name": "CVE-2019-5188",
      "url": "https://www.cve.org/CVERecord?id=CVE-2019-5188"
    },
    {
      "name": "CVE-2021-20389",
      "url": "https://www.cve.org/CVERecord?id=CVE-2021-20389"
    },
    {
      "name": "CVE-2021-20386",
      "url": "https://www.cve.org/CVERecord?id=CVE-2021-20386"
    },
    {
      "name": "CVE-2020-12049",
      "url": "https://www.cve.org/CVERecord?id=CVE-2020-12049"
    },
    {
      "name": "CVE-2020-5258",
      "url": "https://www.cve.org/CVERecord?id=CVE-2020-5258"
    },
    {
      "name": "CVE-2021-21284",
      "url": "https://www.cve.org/CVERecord?id=CVE-2021-21284"
    }
  ],
  "links": [],
  "reference": "CERTFR-2021-AVI-700",
  "revisions": [
    {
      "description": "Version initiale",
      "revision_date": "2021-09-14T00:00:00.000000"
    }
  ],
  "risks": [
    {
      "description": "D\u00e9ni de service \u00e0 distance"
    },
    {
      "description": "Injection de code indirecte \u00e0 distance (XSS)"
    },
    {
      "description": "Ex\u00e9cution de code arbitraire \u00e0 distance"
    },
    {
      "description": "Atteinte \u00e0 l\u0027int\u00e9grit\u00e9 des donn\u00e9es"
    },
    {
      "description": "Contournement de la politique de s\u00e9curit\u00e9"
    },
    {
      "description": "Atteinte \u00e0 la confidentialit\u00e9 des donn\u00e9es"
    },
    {
      "description": "\u00c9l\u00e9vation de privil\u00e8ges"
    }
  ],
  "summary": "De multiples vuln\u00e9rabilit\u00e9s ont \u00e9t\u00e9 d\u00e9couvertes dans les produits IBM.\nCertaines d\u0027entre elles permettent \u00e0 un attaquant de provoquer une\nex\u00e9cution de code arbitraire \u00e0 distance, un d\u00e9ni de service \u00e0 distance\net un contournement de la politique de s\u00e9curit\u00e9.\n",
  "title": "Multiples vuln\u00e9rabilit\u00e9s dans les produits IBM",
  "vendor_advisories": [
    {
      "published_at": null,
      "title": "Bulletin de s\u00e9curit\u00e9 IBM 6455281 du 13 septembre 2021",
      "url": "https://www.ibm.com/support/pages/node/6455281"
    }
  ]
}

CERTFR-2020-AVI-393

Vulnerability from certfr_avis - Published: - Updated:

Une vulnérabilité a été découverte dans Squid. Elle permet à un attaquant de provoquer un contournement de la politique de sécurité et une atteinte à l'intégrité des données.

Solution

Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).

None

Impacted products

	Vendor	Product	Description
	Squid	Squid	Squid versions antérieures à 4.12
	Squid	Squid	Squid versions 5.0.x antérieures à 5.0.3

References

Title

Publication Time

Tags

Bulletin de sécurité Squid du 26 juin 2020

None

vendor-advisory

Show details on source website

JSON

To clipboard

{
  "$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
  "affected_systems": [
    {
      "description": "Squid versions ant\u00e9rieures \u00e0 4.12",
      "product": {
        "name": "Squid",
        "vendor": {
          "name": "Squid",
          "scada": false
        }
      }
    },
    {
      "description": "Squid versions 5.0.x ant\u00e9rieures \u00e0 5.0.3",
      "product": {
        "name": "Squid",
        "vendor": {
          "name": "Squid",
          "scada": false
        }
      }
    }
  ],
  "affected_systems_content": null,
  "content": "## Solution\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des\ncorrectifs (cf. section Documentation).\n",
  "cves": [
    {
      "name": "CVE-2020-15049",
      "url": "https://www.cve.org/CVERecord?id=CVE-2020-15049"
    }
  ],
  "links": [],
  "reference": "CERTFR-2020-AVI-393",
  "revisions": [
    {
      "description": "Version initiale",
      "revision_date": "2020-06-29T00:00:00.000000"
    }
  ],
  "risks": [
    {
      "description": "Atteinte \u00e0 l\u0027int\u00e9grit\u00e9 des donn\u00e9es"
    },
    {
      "description": "Contournement de la politique de s\u00e9curit\u00e9"
    }
  ],
  "summary": "Une vuln\u00e9rabilit\u00e9 a \u00e9t\u00e9 d\u00e9couverte dans Squid. Elle permet \u00e0 un\nattaquant de provoquer un contournement de la politique de s\u00e9curit\u00e9 et\nune atteinte \u00e0 l\u0027int\u00e9grit\u00e9 des donn\u00e9es.\n",
  "title": "Vuln\u00e9rabilit\u00e9 dans Squid",
  "vendor_advisories": [
    {
      "published_at": null,
      "title": "Bulletin de s\u00e9curit\u00e9 Squid du 26 juin 2020",
      "url": "https://github.com/squid-cache/squid/security/advisories/GHSA-qf3v-rc95-96j5"
    }
  ]
}

CERTFR-2021-AVI-700

Vulnerability from certfr_avis - Published: - Updated:

Solution

Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).

None

Impacted products

	Vendor	Product	Description
	IBM	N/A	IBM Security Guardium version 11.2 sans le dernier correctif
	IBM	N/A	IBM Security Guardium version 11.3 sans le dernier correctif

References

Title

Publication Time

Tags

Bulletin de sécurité IBM 6455281 du 13 septembre 2021

None

vendor-advisory

Show details on source website

JSON

To clipboard

{
  "$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
  "affected_systems": [
    {
      "description": "IBM Security Guardium version 11.2 sans le dernier correctif",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "IBM",
          "scada": false
        }
      }
    },
    {
      "description": "IBM Security Guardium version 11.3 sans le dernier correctif",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "IBM",
          "scada": false
        }
      }
    }
  ],
  "affected_systems_content": null,
  "content": "## Solution\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des\ncorrectifs (cf. section Documentation).\n",
  "cves": [
    {
      "name": "CVE-2019-12749",
      "url": "https://www.cve.org/CVERecord?id=CVE-2019-12749"
    },
    {
      "name": "CVE-2020-24606",
      "url": "https://www.cve.org/CVERecord?id=CVE-2020-24606"
    },
    {
      "name": "CVE-2019-14866",
      "url": "https://www.cve.org/CVERecord?id=CVE-2019-14866"
    },
    {
      "name": "CVE-2021-20428",
      "url": "https://www.cve.org/CVERecord?id=CVE-2021-20428"
    },
    {
      "name": "CVE-2019-5094",
      "url": "https://www.cve.org/CVERecord?id=CVE-2019-5094"
    },
    {
      "name": "CVE-2020-8450",
      "url": "https://www.cve.org/CVERecord?id=CVE-2020-8450"
    },
    {
      "name": "CVE-2019-19956",
      "url": "https://www.cve.org/CVERecord?id=CVE-2019-19956"
    },
    {
      "name": "CVE-2021-21285",
      "url": "https://www.cve.org/CVERecord?id=CVE-2021-21285"
    },
    {
      "name": "CVE-2020-8177",
      "url": "https://www.cve.org/CVERecord?id=CVE-2020-8177"
    },
    {
      "name": "CVE-2020-15049",
      "url": "https://www.cve.org/CVERecord?id=CVE-2020-15049"
    },
    {
      "name": "CVE-2019-12450",
      "url": "https://www.cve.org/CVERecord?id=CVE-2019-12450"
    },
    {
      "name": "CVE-2020-10754",
      "url": "https://www.cve.org/CVERecord?id=CVE-2020-10754"
    },
    {
      "name": "CVE-2020-13401",
      "url": "https://www.cve.org/CVERecord?id=CVE-2020-13401"
    },
    {
      "name": "CVE-2019-20388",
      "url": "https://www.cve.org/CVERecord?id=CVE-2019-20388"
    },
    {
      "name": "CVE-2019-14822",
      "url": "https://www.cve.org/CVERecord?id=CVE-2019-14822"
    },
    {
      "name": "CVE-2019-10785",
      "url": "https://www.cve.org/CVERecord?id=CVE-2019-10785"
    },
    {
      "name": "CVE-2021-20385",
      "url": "https://www.cve.org/CVERecord?id=CVE-2021-20385"
    },
    {
      "name": "CVE-2020-7595",
      "url": "https://www.cve.org/CVERecord?id=CVE-2020-7595"
    },
    {
      "name": "CVE-2020-5259",
      "url": "https://www.cve.org/CVERecord?id=CVE-2020-5259"
    },
    {
      "name": "CVE-2019-11719",
      "url": "https://www.cve.org/CVERecord?id=CVE-2019-11719"
    },
    {
      "name": "CVE-2019-12528",
      "url": "https://www.cve.org/CVERecord?id=CVE-2019-12528"
    },
    {
      "name": "CVE-2021-3156",
      "url": "https://www.cve.org/CVERecord?id=CVE-2021-3156"
    },
    {
      "name": "CVE-2020-15810",
      "url": "https://www.cve.org/CVERecord?id=CVE-2020-15810"
    },
    {
      "name": "CVE-2020-15811",
      "url": "https://www.cve.org/CVERecord?id=CVE-2020-15811"
    },
    {
      "name": "CVE-2020-8449",
      "url": "https://www.cve.org/CVERecord?id=CVE-2020-8449"
    },
    {
      "name": "CVE-2021-20426",
      "url": "https://www.cve.org/CVERecord?id=CVE-2021-20426"
    },
    {
      "name": "CVE-2020-12825",
      "url": "https://www.cve.org/CVERecord?id=CVE-2020-12825"
    },
    {
      "name": "CVE-2021-20419",
      "url": "https://www.cve.org/CVERecord?id=CVE-2021-20419"
    },
    {
      "name": "CVE-2019-5482",
      "url": "https://www.cve.org/CVERecord?id=CVE-2019-5482"
    },
    {
      "name": "CVE-2019-5188",
      "url": "https://www.cve.org/CVERecord?id=CVE-2019-5188"
    },
    {
      "name": "CVE-2021-20389",
      "url": "https://www.cve.org/CVERecord?id=CVE-2021-20389"
    },
    {
      "name": "CVE-2021-20386",
      "url": "https://www.cve.org/CVERecord?id=CVE-2021-20386"
    },
    {
      "name": "CVE-2020-12049",
      "url": "https://www.cve.org/CVERecord?id=CVE-2020-12049"
    },
    {
      "name": "CVE-2020-5258",
      "url": "https://www.cve.org/CVERecord?id=CVE-2020-5258"
    },
    {
      "name": "CVE-2021-21284",
      "url": "https://www.cve.org/CVERecord?id=CVE-2021-21284"
    }
  ],
  "links": [],
  "reference": "CERTFR-2021-AVI-700",
  "revisions": [
    {
      "description": "Version initiale",
      "revision_date": "2021-09-14T00:00:00.000000"
    }
  ],
  "risks": [
    {
      "description": "D\u00e9ni de service \u00e0 distance"
    },
    {
      "description": "Injection de code indirecte \u00e0 distance (XSS)"
    },
    {
      "description": "Ex\u00e9cution de code arbitraire \u00e0 distance"
    },
    {
      "description": "Atteinte \u00e0 l\u0027int\u00e9grit\u00e9 des donn\u00e9es"
    },
    {
      "description": "Contournement de la politique de s\u00e9curit\u00e9"
    },
    {
      "description": "Atteinte \u00e0 la confidentialit\u00e9 des donn\u00e9es"
    },
    {
      "description": "\u00c9l\u00e9vation de privil\u00e8ges"
    }
  ],
  "summary": "De multiples vuln\u00e9rabilit\u00e9s ont \u00e9t\u00e9 d\u00e9couvertes dans les produits IBM.\nCertaines d\u0027entre elles permettent \u00e0 un attaquant de provoquer une\nex\u00e9cution de code arbitraire \u00e0 distance, un d\u00e9ni de service \u00e0 distance\net un contournement de la politique de s\u00e9curit\u00e9.\n",
  "title": "Multiples vuln\u00e9rabilit\u00e9s dans les produits IBM",
  "vendor_advisories": [
    {
      "published_at": null,
      "title": "Bulletin de s\u00e9curit\u00e9 IBM 6455281 du 13 septembre 2021",
      "url": "https://www.ibm.com/support/pages/node/6455281"
    }
  ]
}

alsa-2020:4743

Vulnerability from osv_almalinux

Published

2020-11-03 12:32

Modified

2020-11-03 19:54

Summary

Moderate: squid:4 security, bug fix, and enhancement update

Details

Squid is a high-performance proxy caching server for web clients, supporting FTP, Gopher, and HTTP data objects.

The following packages have been upgraded to a later upstream version: squid (4.11). (BZ#1829467)

Security Fix(es):

squid: Improper input validation in request allows for proxy manipulation (CVE-2019-12520)
squid: Off-by-one error in addStackElement allows for heap buffer overflow and crash (CVE-2019-12521)
squid: Improper input validation in URI processor (CVE-2019-12523)
squid: Improper access restriction in url_regex may lead to security bypass (CVE-2019-12524)
squid: Heap overflow issue in URN processing (CVE-2019-12526)
squid: Information Disclosure issue in FTP Gateway (CVE-2019-12528)
squid: Out of bounds read in Proxy-Authorization header causes DoS (CVE-2019-12529)
squid: Denial of service in cachemgr.cgi (CVE-2019-12854)
squid: Buffer overflow in URI processor (CVE-2019-18676)
squid: Cross-Site Request Forgery issue in HTTP Request processing (CVE-2019-18677)
squid: HTTP Request Splitting issue in HTTP message processing (CVE-2019-18678)
squid: Information Disclosure issue in HTTP Digest Authentication (CVE-2019-18679)
squid: Mishandled HTML in the host parameter to cachemgr.cgi results in insecure behaviour (CVE-2019-18860)
squid: Improper input validation issues in HTTP Request processing (CVE-2020-8449)
squid: Buffer overflow in reverse-proxy configurations (CVE-2020-8450)
squid: DoS in TLS handshake (CVE-2020-14058)
squid: Request smuggling and poisoning attack against the HTTP cache (CVE-2020-15049)
squid: Improper input validation could result in a DoS (CVE-2020-24606)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Additional Changes:

For detailed information on changes in this release, see the AlmaLinux Release Notes linked from the References section.

References

URL

Type

	https://errata.almalinux.org/8/ALSA-2020-4743.html	ADVISORY
	https://vulners.com/cve/CVE-2019-12520	REPORT
	https://vulners.com/cve/CVE-2019-12521	REPORT
	https://vulners.com/cve/CVE-2019-12523	REPORT
	https://vulners.com/cve/CVE-2019-12524	REPORT
	https://vulners.com/cve/CVE-2019-12526	REPORT
	https://vulners.com/cve/CVE-2019-12528	REPORT
	https://vulners.com/cve/CVE-2019-12529	REPORT
	https://vulners.com/cve/CVE-2019-12854	REPORT
	https://vulners.com/cve/CVE-2019-18676	REPORT
	https://vulners.com/cve/CVE-2019-18677	REPORT
	https://vulners.com/cve/CVE-2019-18678	REPORT
	https://vulners.com/cve/CVE-2019-18679	REPORT
	https://vulners.com/cve/CVE-2019-18860	REPORT
	https://vulners.com/cve/CVE-2020-14058	REPORT
	https://vulners.com/cve/CVE-2020-15049	REPORT
	https://vulners.com/cve/CVE-2020-24606	REPORT
	https://vulners.com/cve/CVE-2020-8449	REPORT
	https://vulners.com/cve/CVE-2020-8450	REPORT

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "AlmaLinux:8",
        "name": "libecap"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.0.1-2.module_el8.6.0+2741+01592ae8"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "AlmaLinux:8",
        "name": "libecap-devel"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.0.1-2.module_el8.6.0+2741+01592ae8"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "details": "Squid is a high-performance proxy caching server for web clients, supporting FTP, Gopher, and HTTP data objects.\n\nThe following packages have been upgraded to a later upstream version: squid (4.11). (BZ#1829467)\n\nSecurity Fix(es):\n\n* squid: Improper input validation in request allows for proxy manipulation (CVE-2019-12520)\n\n* squid: Off-by-one error in addStackElement allows for heap buffer overflow and crash (CVE-2019-12521)\n\n* squid: Improper input validation in URI processor (CVE-2019-12523)\n\n* squid: Improper access restriction in url_regex may lead to security bypass (CVE-2019-12524)\n\n* squid: Heap overflow issue in URN processing (CVE-2019-12526)\n\n* squid: Information Disclosure issue in FTP Gateway (CVE-2019-12528)\n\n* squid: Out of bounds read in Proxy-Authorization header causes DoS (CVE-2019-12529)\n\n* squid: Denial of service in cachemgr.cgi (CVE-2019-12854)\n\n* squid: Buffer overflow in URI processor (CVE-2019-18676)\n\n* squid: Cross-Site Request Forgery issue in HTTP Request processing (CVE-2019-18677)\n\n* squid: HTTP Request Splitting issue in HTTP message processing (CVE-2019-18678)\n\n* squid: Information Disclosure issue in HTTP Digest Authentication (CVE-2019-18679)\n\n* squid: Mishandled HTML in the host parameter to cachemgr.cgi results in insecure behaviour (CVE-2019-18860)\n\n* squid: Improper input validation issues in HTTP Request processing (CVE-2020-8449)\n\n* squid: Buffer overflow in reverse-proxy configurations (CVE-2020-8450)\n\n* squid: DoS in TLS handshake (CVE-2020-14058)\n\n* squid: Request smuggling and poisoning attack against the HTTP cache (CVE-2020-15049)\n\n* squid: Improper input validation could result in a DoS (CVE-2020-24606)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.\n\nAdditional Changes:\n\nFor detailed information on changes in this release, see the AlmaLinux Release Notes linked from the References section.",
  "id": "ALSA-2020:4743",
  "modified": "2020-11-03T19:54:15Z",
  "published": "2020-11-03T12:32:17Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://errata.almalinux.org/8/ALSA-2020-4743.html"
    },
    {
      "type": "REPORT",
      "url": "https://vulners.com/cve/CVE-2019-12520"
    },
    {
      "type": "REPORT",
      "url": "https://vulners.com/cve/CVE-2019-12521"
    },
    {
      "type": "REPORT",
      "url": "https://vulners.com/cve/CVE-2019-12523"
    },
    {
      "type": "REPORT",
      "url": "https://vulners.com/cve/CVE-2019-12524"
    },
    {
      "type": "REPORT",
      "url": "https://vulners.com/cve/CVE-2019-12526"
    },
    {
      "type": "REPORT",
      "url": "https://vulners.com/cve/CVE-2019-12528"
    },
    {
      "type": "REPORT",
      "url": "https://vulners.com/cve/CVE-2019-12529"
    },
    {
      "type": "REPORT",
      "url": "https://vulners.com/cve/CVE-2019-12854"
    },
    {
      "type": "REPORT",
      "url": "https://vulners.com/cve/CVE-2019-18676"
    },
    {
      "type": "REPORT",
      "url": "https://vulners.com/cve/CVE-2019-18677"
    },
    {
      "type": "REPORT",
      "url": "https://vulners.com/cve/CVE-2019-18678"
    },
    {
      "type": "REPORT",
      "url": "https://vulners.com/cve/CVE-2019-18679"
    },
    {
      "type": "REPORT",
      "url": "https://vulners.com/cve/CVE-2019-18860"
    },
    {
      "type": "REPORT",
      "url": "https://vulners.com/cve/CVE-2020-14058"
    },
    {
      "type": "REPORT",
      "url": "https://vulners.com/cve/CVE-2020-15049"
    },
    {
      "type": "REPORT",
      "url": "https://vulners.com/cve/CVE-2020-24606"
    },
    {
      "type": "REPORT",
      "url": "https://vulners.com/cve/CVE-2020-8449"
    },
    {
      "type": "REPORT",
      "url": "https://vulners.com/cve/CVE-2020-8450"
    }
  ],
  "related": [
    "CVE-2019-12520",
    "CVE-2019-12521",
    "CVE-2019-12523",
    "CVE-2019-12524",
    "CVE-2019-12526",
    "CVE-2019-12528",
    "CVE-2019-12529",
    "CVE-2019-12854",
    "CVE-2019-18676",
    "CVE-2019-18677",
    "CVE-2019-18678",
    "CVE-2019-18679",
    "CVE-2019-18860",
    "CVE-2020-8449",
    "CVE-2020-8450",
    "CVE-2020-14058",
    "CVE-2020-15049",
    "CVE-2020-24606"
  ],
  "summary": "Moderate: squid:4 security, bug fix, and enhancement update"
}

BDU:2020-04037

Vulnerability from fstec - Published: 30.06.2020

Title

Уязвимость компонента http/ContentLengthInterpreter.cc прокси-сервера Squid, позволяющая нарушителю отравлять содержимое кэша

Description

Уязвимость компонента http/ContentLengthInterpreter.cc прокси-сервера Squid связана с недостатками обработки HTTP-запросов. Эксплуатация уязвимости может позволить нарушителю, действующему удаленно, отравлять содержимое кэша с помощью специально созданного HTTP(S)-запроса

Severity ?


                    
                      AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Vendor

Сообщество свободного программного обеспечения, ООО «РусБИТех-Астра», Fedora Project, Squid Software Foundation, АО "НППКТ", АО «Концерн ВНИИНС»

Software Name

Debian GNU/Linux, Astra Linux Special Edition (запись в едином реестре российских программ №369), Astra Linux Common Edition (запись в едином реестре российских программ №4433), Fedora, Astra Linux Special Edition для «Эльбрус» (запись в едином реестре российских программ №11156), Squid, ОСОН ОСнова Оnyx (запись в едином реестре российских программ №5913), ОС ОН «Стрелец» (запись в едином реестре российских программ №6177)

Software Version

9 (Debian GNU/Linux), 1.6 «Смоленск» (Astra Linux Special Edition), 2.12 «Орёл» (Astra Linux Common Edition), 8 (Debian GNU/Linux), 10 (Debian GNU/Linux), 31 (Fedora), 8.1 «Ленинград» (Astra Linux Special Edition для «Эльбрус»), от 3.0 до 3.5.28 включительно (Squid), от 2.0 до 2.7.STABLE9 включительно (Squid), от 4.0 до 4.11 включительно (Squid), 5.0.1 (Squid), 5.0.2 (Squid), до 2.5 (ОСОН ОСнова Оnyx), до 16.01.2023 (ОС ОН «Стрелец»)

Possible Mitigations

Использование рекомендаций: Для Fedora : https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/3RG5FGSTCAYVIJPJHIY3MRZ7NFT6HDO7/ Для Squid: http://www.squid-cache.org/Versions/v4/changesets/squid-4-ea12a34d338b962707d5078d6d1fc7c6eb119a22.patch Для Debian: https://security-tracker.debian.org/tracker/CVE-2020-15049 Для Astra Linux: https://wiki.astralinux.ru/astra-linux-se16-bulletin-20210730SE16 https://wiki.astralinux.ru/astra-linux-se81-bulletin-20211019SE81 Для ОСОН Основа: Обновление программного обеспечения squid до версии 5.5-1 Для ОС ОН «Стрелец»: Обновление программного обеспечения squid3 до версии 3.5.23-5+deb9u7

Reference

http://www.squid-cache.org/Versions/v4/changesets/squid-4-ea12a34d338b962707d5078d6d1fc7c6eb119a22.patch http://www.squid-cache.org/Versions/v5/changesets/squid-5-485c9a7bb1bba88754e07ad0094647ea57a6eb8d.patch https://github.com/squid-cache/squid/security/advisories/GHSA-qf3v-rc95-96j5 https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/3RG5FGSTCAYVIJPJHIY3MRZ7NFT6HDO7/ https://nvd.nist.gov/vuln/detail/CVE-2020-15049 https://security-tracker.debian.org/tracker/CVE-2020-15049 https://wiki.astralinux.ru/astra-linux-se16-bulletin-20210611SE16 https://www.debian.org/security/2020/dsa-4732 https://wiki.astralinux.ru/astra-linux-se81-bulletin-20211019SE81 https://поддержка.нппкт.рф/bin/view/ОСнова/Обновления/2.5/ https://strelets.net/patchi-i-obnovleniya-bezopasnosti#16012023

CWE

CWE-444

JSON

To clipboard

{
  "CVSS 2.0": "AV:N/AC:L/Au:S/C:P/I:P/A:P",
  "CVSS 3.0": "AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
  "CVSS 4.0": null,
  "remediation_\u0418\u0434\u0435\u043d\u0442\u0438\u0444\u0438\u043a\u0430\u0442\u043e\u0440": null,
  "remediation_\u041d\u0430\u0438\u043c\u0435\u043d\u043e\u0432\u0430\u043d\u0438\u0435": null,
  "\u0412\u0435\u043d\u0434\u043e\u0440 \u041f\u041e": "\u0421\u043e\u043e\u0431\u0449\u0435\u0441\u0442\u0432\u043e \u0441\u0432\u043e\u0431\u043e\u0434\u043d\u043e\u0433\u043e \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c\u043d\u043e\u0433\u043e \u043e\u0431\u0435\u0441\u043f\u0435\u0447\u0435\u043d\u0438\u044f, \u041e\u041e\u041e \u00ab\u0420\u0443\u0441\u0411\u0418\u0422\u0435\u0445-\u0410\u0441\u0442\u0440\u0430\u00bb, Fedora Project, Squid Software Foundation, \u0410\u041e \"\u041d\u041f\u041f\u041a\u0422\", \u0410\u041e \u00ab\u041a\u043e\u043d\u0446\u0435\u0440\u043d \u0412\u041d\u0418\u0418\u041d\u0421\u00bb",
  "\u0412\u0435\u0440\u0441\u0438\u044f \u041f\u041e": "9 (Debian GNU/Linux), 1.6 \u00ab\u0421\u043c\u043e\u043b\u0435\u043d\u0441\u043a\u00bb (Astra Linux Special Edition), 2.12 \u00ab\u041e\u0440\u0451\u043b\u00bb (Astra Linux Common Edition), 8 (Debian GNU/Linux), 10 (Debian GNU/Linux), 31 (Fedora), 8.1 \u00ab\u041b\u0435\u043d\u0438\u043d\u0433\u0440\u0430\u0434\u00bb (Astra Linux Special Edition \u0434\u043b\u044f \u00ab\u042d\u043b\u044c\u0431\u0440\u0443\u0441\u00bb), \u043e\u0442 3.0 \u0434\u043e 3.5.28 \u0432\u043a\u043b\u044e\u0447\u0438\u0442\u0435\u043b\u044c\u043d\u043e (Squid), \u043e\u0442 2.0 \u0434\u043e 2.7.STABLE9 \u0432\u043a\u043b\u044e\u0447\u0438\u0442\u0435\u043b\u044c\u043d\u043e (Squid), \u043e\u0442 4.0 \u0434\u043e 4.11 \u0432\u043a\u043b\u044e\u0447\u0438\u0442\u0435\u043b\u044c\u043d\u043e (Squid), 5.0.1 (Squid), 5.0.2 (Squid), \u0434\u043e 2.5 (\u041e\u0421\u041e\u041d \u041e\u0421\u043d\u043e\u0432\u0430 \u041enyx), \u0434\u043e 16.01.2023 (\u041e\u0421 \u041e\u041d \u00ab\u0421\u0442\u0440\u0435\u043b\u0435\u0446\u00bb)",
  "\u0412\u043e\u0437\u043c\u043e\u0436\u043d\u044b\u0435 \u043c\u0435\u0440\u044b \u043f\u043e \u0443\u0441\u0442\u0440\u0430\u043d\u0435\u043d\u0438\u044e": "\u0418\u0441\u043f\u043e\u043b\u044c\u0437\u043e\u0432\u0430\u043d\u0438\u0435 \u0440\u0435\u043a\u043e\u043c\u0435\u043d\u0434\u0430\u0446\u0438\u0439:\n\u0414\u043b\u044f Fedora :\nhttps://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/3RG5FGSTCAYVIJPJHIY3MRZ7NFT6HDO7/\n\n\u0414\u043b\u044f Squid:\nhttp://www.squid-cache.org/Versions/v4/changesets/squid-4-ea12a34d338b962707d5078d6d1fc7c6eb119a22.patch\n\n\u0414\u043b\u044f Debian:\nhttps://security-tracker.debian.org/tracker/CVE-2020-15049\n\n\u0414\u043b\u044f Astra Linux:\nhttps://wiki.astralinux.ru/astra-linux-se16-bulletin-20210730SE16\nhttps://wiki.astralinux.ru/astra-linux-se81-bulletin-20211019SE81\n\n\u0414\u043b\u044f \u041e\u0421\u041e\u041d \u041e\u0441\u043d\u043e\u0432\u0430:\n\u041e\u0431\u043d\u043e\u0432\u043b\u0435\u043d\u0438\u0435 \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c\u043d\u043e\u0433\u043e \u043e\u0431\u0435\u0441\u043f\u0435\u0447\u0435\u043d\u0438\u044f squid \u0434\u043e \u0432\u0435\u0440\u0441\u0438\u0438 5.5-1\n\n\u0414\u043b\u044f \u041e\u0421 \u041e\u041d \u00ab\u0421\u0442\u0440\u0435\u043b\u0435\u0446\u00bb:\n\u041e\u0431\u043d\u043e\u0432\u043b\u0435\u043d\u0438\u0435 \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c\u043d\u043e\u0433\u043e \u043e\u0431\u0435\u0441\u043f\u0435\u0447\u0435\u043d\u0438\u044f squid3 \u0434\u043e \u0432\u0435\u0440\u0441\u0438\u0438 3.5.23-5+deb9u7",
  "\u0414\u0430\u0442\u0430 \u0432\u044b\u044f\u0432\u043b\u0435\u043d\u0438\u044f": "30.06.2020",
  "\u0414\u0430\u0442\u0430 \u043f\u043e\u0441\u043b\u0435\u0434\u043d\u0435\u0433\u043e \u043e\u0431\u043d\u043e\u0432\u043b\u0435\u043d\u0438\u044f": "21.11.2023",
  "\u0414\u0430\u0442\u0430 \u043f\u0443\u0431\u043b\u0438\u043a\u0430\u0446\u0438\u0438": "26.08.2020",
  "\u0418\u0434\u0435\u043d\u0442\u0438\u0444\u0438\u043a\u0430\u0442\u043e\u0440": "BDU:2020-04037",
  "\u0418\u0434\u0435\u043d\u0442\u0438\u0444\u0438\u043a\u0430\u0442\u043e\u0440\u044b \u0434\u0440\u0443\u0433\u0438\u0445 \u0441\u0438\u0441\u0442\u0435\u043c \u043e\u043f\u0438\u0441\u0430\u043d\u0438\u0439 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "CVE-2020-15049",
  "\u0418\u043d\u0444\u043e\u0440\u043c\u0430\u0446\u0438\u044f \u043e\u0431 \u0443\u0441\u0442\u0440\u0430\u043d\u0435\u043d\u0438\u0438": "\u0423\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u044c \u0443\u0441\u0442\u0440\u0430\u043d\u0435\u043d\u0430",
  "\u041a\u043b\u0430\u0441\u0441 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "\u0423\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u044c \u0430\u0440\u0445\u0438\u0442\u0435\u043a\u0442\u0443\u0440\u044b",
  "\u041d\u0430\u0437\u0432\u0430\u043d\u0438\u0435 \u041f\u041e": "Debian GNU/Linux, Astra Linux Special Edition (\u0437\u0430\u043f\u0438\u0441\u044c \u0432 \u0435\u0434\u0438\u043d\u043e\u043c \u0440\u0435\u0435\u0441\u0442\u0440\u0435 \u0440\u043e\u0441\u0441\u0438\u0439\u0441\u043a\u0438\u0445 \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c \u2116369), Astra Linux Common Edition (\u0437\u0430\u043f\u0438\u0441\u044c \u0432 \u0435\u0434\u0438\u043d\u043e\u043c \u0440\u0435\u0435\u0441\u0442\u0440\u0435 \u0440\u043e\u0441\u0441\u0438\u0439\u0441\u043a\u0438\u0445 \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c \u21164433), Fedora, Astra Linux Special Edition \u0434\u043b\u044f \u00ab\u042d\u043b\u044c\u0431\u0440\u0443\u0441\u00bb (\u0437\u0430\u043f\u0438\u0441\u044c \u0432 \u0435\u0434\u0438\u043d\u043e\u043c \u0440\u0435\u0435\u0441\u0442\u0440\u0435 \u0440\u043e\u0441\u0441\u0438\u0439\u0441\u043a\u0438\u0445 \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c \u211611156), Squid, \u041e\u0421\u041e\u041d \u041e\u0421\u043d\u043e\u0432\u0430 \u041enyx (\u0437\u0430\u043f\u0438\u0441\u044c \u0432 \u0435\u0434\u0438\u043d\u043e\u043c \u0440\u0435\u0435\u0441\u0442\u0440\u0435 \u0440\u043e\u0441\u0441\u0438\u0439\u0441\u043a\u0438\u0445 \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c \u21165913), \u041e\u0421 \u041e\u041d \u00ab\u0421\u0442\u0440\u0435\u043b\u0435\u0446\u00bb (\u0437\u0430\u043f\u0438\u0441\u044c \u0432 \u0435\u0434\u0438\u043d\u043e\u043c \u0440\u0435\u0435\u0441\u0442\u0440\u0435 \u0440\u043e\u0441\u0441\u0438\u0439\u0441\u043a\u0438\u0445 \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c \u21166177)",
  "\u041d\u0430\u0438\u043c\u0435\u043d\u043e\u0432\u0430\u043d\u0438\u0435 \u041e\u0421 \u0438 \u0442\u0438\u043f \u0430\u043f\u043f\u0430\u0440\u0430\u0442\u043d\u043e\u0439 \u043f\u043b\u0430\u0442\u0444\u043e\u0440\u043c\u044b": "\u0421\u043e\u043e\u0431\u0449\u0435\u0441\u0442\u0432\u043e \u0441\u0432\u043e\u0431\u043e\u0434\u043d\u043e\u0433\u043e \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c\u043d\u043e\u0433\u043e \u043e\u0431\u0435\u0441\u043f\u0435\u0447\u0435\u043d\u0438\u044f Debian GNU/Linux 9 , \u041e\u041e\u041e \u00ab\u0420\u0443\u0441\u0411\u0418\u0422\u0435\u0445-\u0410\u0441\u0442\u0440\u0430\u00bb Astra Linux Special Edition 1.6 \u00ab\u0421\u043c\u043e\u043b\u0435\u043d\u0441\u043a\u00bb  (\u0437\u0430\u043f\u0438\u0441\u044c \u0432 \u0435\u0434\u0438\u043d\u043e\u043c \u0440\u0435\u0435\u0441\u0442\u0440\u0435 \u0440\u043e\u0441\u0441\u0438\u0439\u0441\u043a\u0438\u0445 \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c \u2116369), \u041e\u041e\u041e \u00ab\u0420\u0443\u0441\u0411\u0418\u0422\u0435\u0445-\u0410\u0441\u0442\u0440\u0430\u00bb Astra Linux Common Edition 2.12 \u00ab\u041e\u0440\u0451\u043b\u00bb  (\u0437\u0430\u043f\u0438\u0441\u044c \u0432 \u0435\u0434\u0438\u043d\u043e\u043c \u0440\u0435\u0435\u0441\u0442\u0440\u0435 \u0440\u043e\u0441\u0441\u0438\u0439\u0441\u043a\u0438\u0445 \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c \u21164433), \u0421\u043e\u043e\u0431\u0449\u0435\u0441\u0442\u0432\u043e \u0441\u0432\u043e\u0431\u043e\u0434\u043d\u043e\u0433\u043e \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c\u043d\u043e\u0433\u043e \u043e\u0431\u0435\u0441\u043f\u0435\u0447\u0435\u043d\u0438\u044f Debian GNU/Linux 8 , \u0421\u043e\u043e\u0431\u0449\u0435\u0441\u0442\u0432\u043e \u0441\u0432\u043e\u0431\u043e\u0434\u043d\u043e\u0433\u043e \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c\u043d\u043e\u0433\u043e \u043e\u0431\u0435\u0441\u043f\u0435\u0447\u0435\u043d\u0438\u044f Debian GNU/Linux 10 , Fedora Project Fedora 31 , \u041e\u041e\u041e \u00ab\u0420\u0443\u0441\u0411\u0418\u0422\u0435\u0445-\u0410\u0441\u0442\u0440\u0430\u00bb Astra Linux Special Edition \u0434\u043b\u044f \u00ab\u042d\u043b\u044c\u0431\u0440\u0443\u0441\u00bb 8.1 \u00ab\u041b\u0435\u043d\u0438\u043d\u0433\u0440\u0430\u0434\u00bb  (\u0437\u0430\u043f\u0438\u0441\u044c \u0432 \u0435\u0434\u0438\u043d\u043e\u043c \u0440\u0435\u0435\u0441\u0442\u0440\u0435 \u0440\u043e\u0441\u0441\u0438\u0439\u0441\u043a\u0438\u0445 \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c \u211611156), \u0410\u041e \u00ab\u041a\u043e\u043d\u0446\u0435\u0440\u043d \u0412\u041d\u0418\u0418\u041d\u0421\u00bb \u041e\u0421 \u041e\u041d \u00ab\u0421\u0442\u0440\u0435\u043b\u0435\u0446\u00bb \u0434\u043e 16.01.2023  (\u0437\u0430\u043f\u0438\u0441\u044c \u0432 \u0435\u0434\u0438\u043d\u043e\u043c \u0440\u0435\u0435\u0441\u0442\u0440\u0435 \u0440\u043e\u0441\u0441\u0438\u0439\u0441\u043a\u0438\u0445 \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c \u21166177)",
  "\u041d\u0430\u0438\u043c\u0435\u043d\u043e\u0432\u0430\u043d\u0438\u0435 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "\u0423\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u044c \u043a\u043e\u043c\u043f\u043e\u043d\u0435\u043d\u0442\u0430 http/ContentLengthInterpreter.cc \u043f\u0440\u043e\u043a\u0441\u0438-\u0441\u0435\u0440\u0432\u0435\u0440\u0430 Squid, \u043f\u043e\u0437\u0432\u043e\u043b\u044f\u044e\u0449\u0430\u044f \u043d\u0430\u0440\u0443\u0448\u0438\u0442\u0435\u043b\u044e \u043e\u0442\u0440\u0430\u0432\u043b\u044f\u0442\u044c \u0441\u043e\u0434\u0435\u0440\u0436\u0438\u043c\u043e\u0435 \u043a\u044d\u0448\u0430",
  "\u041d\u0430\u043b\u0438\u0447\u0438\u0435 \u044d\u043a\u0441\u043f\u043b\u043e\u0439\u0442\u0430": "\u0414\u0430\u043d\u043d\u044b\u0435 \u0443\u0442\u043e\u0447\u043d\u044f\u044e\u0442\u0441\u044f",
  "\u041e\u043f\u0438\u0441\u0430\u043d\u0438\u0435 \u043e\u0448\u0438\u0431\u043a\u0438 CWE": "\u041d\u0435\u043f\u043e\u0441\u043b\u0435\u0434\u043e\u0432\u0430\u0442\u0435\u043b\u044c\u043d\u0430\u044f \u0438\u043d\u0442\u0435\u0440\u043f\u0440\u0435\u0442\u0430\u0446\u0438\u044f HTTP-\u0437\u0430\u043f\u0440\u043e\u0441\u043e\u0432 (\u0027\u041a\u043e\u043d\u0442\u0440\u0430\u0431\u0430\u043d\u0434\u0430 HTTP-\u0437\u0430\u043f\u0440\u043e\u0441\u043e\u0432\u0027) (CWE-444)",
  "\u041e\u043f\u0438\u0441\u0430\u043d\u0438\u0435 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "\u0423\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u044c \u043a\u043e\u043c\u043f\u043e\u043d\u0435\u043d\u0442\u0430 http/ContentLengthInterpreter.cc \u043f\u0440\u043e\u043a\u0441\u0438-\u0441\u0435\u0440\u0432\u0435\u0440\u0430 Squid \u0441\u0432\u044f\u0437\u0430\u043d\u0430 \u0441 \u043d\u0435\u0434\u043e\u0441\u0442\u0430\u0442\u043a\u0430\u043c\u0438 \u043e\u0431\u0440\u0430\u0431\u043e\u0442\u043a\u0438 HTTP-\u0437\u0430\u043f\u0440\u043e\u0441\u043e\u0432. \u042d\u043a\u0441\u043f\u043b\u0443\u0430\u0442\u0430\u0446\u0438\u044f \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438 \u043c\u043e\u0436\u0435\u0442 \u043f\u043e\u0437\u0432\u043e\u043b\u0438\u0442\u044c \u043d\u0430\u0440\u0443\u0448\u0438\u0442\u0435\u043b\u044e, \u0434\u0435\u0439\u0441\u0442\u0432\u0443\u044e\u0449\u0435\u043c\u0443 \u0443\u0434\u0430\u043b\u0435\u043d\u043d\u043e, \u043e\u0442\u0440\u0430\u0432\u043b\u044f\u0442\u044c \u0441\u043e\u0434\u0435\u0440\u0436\u0438\u043c\u043e\u0435 \u043a\u044d\u0448\u0430 \u0441 \u043f\u043e\u043c\u043e\u0449\u044c\u044e \u0441\u043f\u0435\u0446\u0438\u0430\u043b\u044c\u043d\u043e \u0441\u043e\u0437\u0434\u0430\u043d\u043d\u043e\u0433\u043e HTTP(S)-\u0437\u0430\u043f\u0440\u043e\u0441\u0430",
  "\u041f\u043e\u0441\u043b\u0435\u0434\u0441\u0442\u0432\u0438\u044f \u044d\u043a\u0441\u043f\u043b\u0443\u0430\u0442\u0430\u0446\u0438\u0438 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": null,
  "\u041f\u0440\u043e\u0447\u0430\u044f \u0438\u043d\u0444\u043e\u0440\u043c\u0430\u0446\u0438\u044f": null,
  "\u0421\u0432\u044f\u0437\u044c \u0441 \u0438\u043d\u0446\u0438\u0434\u0435\u043d\u0442\u0430\u043c\u0438 \u0418\u0411": "\u0414\u0430\u043d\u043d\u044b\u0435 \u0443\u0442\u043e\u0447\u043d\u044f\u044e\u0442\u0441\u044f",
  "\u0421\u043e\u0441\u0442\u043e\u044f\u043d\u0438\u0435 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "\u041e\u043f\u0443\u0431\u043b\u0438\u043a\u043e\u0432\u0430\u043d\u0430",
  "\u0421\u043f\u043e\u0441\u043e\u0431 \u0443\u0441\u0442\u0440\u0430\u043d\u0435\u043d\u0438\u044f": "\u041e\u0431\u043d\u043e\u0432\u043b\u0435\u043d\u0438\u0435 \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c\u043d\u043e\u0433\u043e \u043e\u0431\u0435\u0441\u043f\u0435\u0447\u0435\u043d\u0438\u044f",
  "\u0421\u043f\u043e\u0441\u043e\u0431 \u044d\u043a\u0441\u043f\u043b\u0443\u0430\u0442\u0430\u0446\u0438\u0438": "\u041f\u043e\u0434\u043c\u0435\u043d\u0430 \u043f\u0440\u0438 \u0432\u0437\u0430\u0438\u043c\u043e\u0434\u0435\u0439\u0441\u0442\u0432\u0438\u0438",
  "\u0421\u0441\u044b\u043b\u043a\u0438 \u043d\u0430 \u0438\u0441\u0442\u043e\u0447\u043d\u0438\u043a\u0438": "http://www.squid-cache.org/Versions/v4/changesets/squid-4-ea12a34d338b962707d5078d6d1fc7c6eb119a22.patch\nhttp://www.squid-cache.org/Versions/v5/changesets/squid-5-485c9a7bb1bba88754e07ad0094647ea57a6eb8d.patch\nhttps://github.com/squid-cache/squid/security/advisories/GHSA-qf3v-rc95-96j5\nhttps://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/3RG5FGSTCAYVIJPJHIY3MRZ7NFT6HDO7/\nhttps://nvd.nist.gov/vuln/detail/CVE-2020-15049\nhttps://security-tracker.debian.org/tracker/CVE-2020-15049\nhttps://wiki.astralinux.ru/astra-linux-se16-bulletin-20210611SE16\nhttps://www.debian.org/security/2020/dsa-4732\nhttps://wiki.astralinux.ru/astra-linux-se81-bulletin-20211019SE81\nhttps://\u043f\u043e\u0434\u0434\u0435\u0440\u0436\u043a\u0430.\u043d\u043f\u043f\u043a\u0442.\u0440\u0444/bin/view/\u041e\u0421\u043d\u043e\u0432\u0430/\u041e\u0431\u043d\u043e\u0432\u043b\u0435\u043d\u0438\u044f/2.5/\nhttps://strelets.net/patchi-i-obnovleniya-bezopasnosti#16012023",
  "\u0421\u0442\u0430\u0442\u0443\u0441 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "\u041f\u043e\u0434\u0442\u0432\u0435\u0440\u0436\u0434\u0435\u043d\u0430 \u043f\u0440\u043e\u0438\u0437\u0432\u043e\u0434\u0438\u0442\u0435\u043b\u0435\u043c",
  "\u0422\u0438\u043f \u041f\u041e": "\u041e\u043f\u0435\u0440\u0430\u0446\u0438\u043e\u043d\u043d\u0430\u044f \u0441\u0438\u0441\u0442\u0435\u043c\u0430, \u0421\u0435\u0442\u0435\u0432\u043e\u0435 \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c\u043d\u043e\u0435 \u0441\u0440\u0435\u0434\u0441\u0442\u0432\u043e",
  "\u0422\u0438\u043f \u043e\u0448\u0438\u0431\u043a\u0438 CWE": "CWE-444",
  "\u0423\u0440\u043e\u0432\u0435\u043d\u044c \u043e\u043f\u0430\u0441\u043d\u043e\u0441\u0442\u0438 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "\u0421\u0440\u0435\u0434\u043d\u0438\u0439 \u0443\u0440\u043e\u0432\u0435\u043d\u044c \u043e\u043f\u0430\u0441\u043d\u043e\u0441\u0442\u0438 (\u0431\u0430\u0437\u043e\u0432\u0430\u044f \u043e\u0446\u0435\u043d\u043a\u0430 CVSS 2.0 \u0441\u043e\u0441\u0442\u0430\u0432\u043b\u044f\u0435\u0442 6,5)\n\u0412\u044b\u0441\u043e\u043a\u0438\u0439 \u0443\u0440\u043e\u0432\u0435\u043d\u044c \u043e\u043f\u0430\u0441\u043d\u043e\u0441\u0442\u0438 (\u0431\u0430\u0437\u043e\u0432\u0430\u044f \u043e\u0446\u0435\u043d\u043a\u0430 CVSS 3.0 \u0441\u043e\u0441\u0442\u0430\u0432\u043b\u044f\u0435\u0442 8,8)"
}

CNVD-2021-36605

Vulnerability from cnvd - Published: 2021-05-24

Title

Squid环境问题漏洞

Description

Squid是一套代理服务器和Web缓存服务器软件。该软件提供缓存万维网、过滤流量、代理上网等功能。 Squid 4.12之前版本和5.0.3之前的5.x版本中的http/ContentLengthInterpreter.cc文件存在环境问题漏洞，该漏洞源于程序没有正确验证输入。攻击者可借助特制HTTP请求利用该漏洞造成Web缓存中毒，绕过Web应用程序防火墙保护或实施跨站脚本攻击。

Severity

中

Patch Name

Squid环境问题漏洞的补丁

Patch Description

Formal description

目前厂商已发布升级补丁以修复漏洞，补丁获取链接： https://github.com/squid-cache/squid/security/advisories/GHSA-qf3v-rc95-96j5

Reference

https://nvd.nist.gov/vuln/detail/CVE-2020-15049

Impacted products

Name
['Squid Squid <4.12', 'Squid Squid >=5.0，<5.0.3', 'Squid Squid >=4.0，<4.12', 'Squid Squid >=3.1，<3.5.28', 'Squid Squid 2.7:stable2', 'Squid Squid 2.7:stable3', 'Squid Squid 2.7:stable4', 'Squid Squid 2.7:stable8', 'Squid Squid 2.7:stable9']

Show details on source website

JSON

To clipboard

{
  "cves": {
    "cve": {
      "cveNumber": "CVE-2020-15049"
    }
  },
  "description": "Squid\u662f\u4e00\u5957\u4ee3\u7406\u670d\u52a1\u5668\u548cWeb\u7f13\u5b58\u670d\u52a1\u5668\u8f6f\u4ef6\u3002\u8be5\u8f6f\u4ef6\u63d0\u4f9b\u7f13\u5b58\u4e07\u7ef4\u7f51\u3001\u8fc7\u6ee4\u6d41\u91cf\u3001\u4ee3\u7406\u4e0a\u7f51\u7b49\u529f\u80fd\u3002\n\nSquid 4.12\u4e4b\u524d\u7248\u672c\u548c5.0.3\u4e4b\u524d\u76845.x\u7248\u672c\u4e2d\u7684http/ContentLengthInterpreter.cc\u6587\u4ef6\u5b58\u5728\u73af\u5883\u95ee\u9898\u6f0f\u6d1e\uff0c\u8be5\u6f0f\u6d1e\u6e90\u4e8e\u7a0b\u5e8f\u6ca1\u6709\u6b63\u786e\u9a8c\u8bc1\u8f93\u5165\u3002\u653b\u51fb\u8005\u53ef\u501f\u52a9\u7279\u5236HTTP\u8bf7\u6c42\u5229\u7528\u8be5\u6f0f\u6d1e\u9020\u6210Web\u7f13\u5b58\u4e2d\u6bd2\uff0c\u7ed5\u8fc7Web\u5e94\u7528\u7a0b\u5e8f\u9632\u706b\u5899\u4fdd\u62a4\u6216\u5b9e\u65bd\u8de8\u7ad9\u811a\u672c\u653b\u51fb\u3002",
  "formalWay": "\u76ee\u524d\u5382\u5546\u5df2\u53d1\u5e03\u5347\u7ea7\u8865\u4e01\u4ee5\u4fee\u590d\u6f0f\u6d1e\uff0c\u8865\u4e01\u83b7\u53d6\u94fe\u63a5\uff1a\r\nhttps://github.com/squid-cache/squid/security/advisories/GHSA-qf3v-rc95-96j5",
  "isEvent": "\u901a\u7528\u8f6f\u786c\u4ef6\u6f0f\u6d1e",
  "number": "CNVD-2021-36605",
  "openTime": "2021-05-24",
  "patchDescription": "Squid\u662f\u4e00\u5957\u4ee3\u7406\u670d\u52a1\u5668\u548cWeb\u7f13\u5b58\u670d\u52a1\u5668\u8f6f\u4ef6\u3002\u8be5\u8f6f\u4ef6\u63d0\u4f9b\u7f13\u5b58\u4e07\u7ef4\u7f51\u3001\u8fc7\u6ee4\u6d41\u91cf\u3001\u4ee3\u7406\u4e0a\u7f51\u7b49\u529f\u80fd\u3002\r\n\r\nSquid 4.12\u4e4b\u524d\u7248\u672c\u548c5.0.3\u4e4b\u524d\u76845.x\u7248\u672c\u4e2d\u7684http/ContentLengthInterpreter.cc\u6587\u4ef6\u5b58\u5728\u73af\u5883\u95ee\u9898\u6f0f\u6d1e\uff0c\u8be5\u6f0f\u6d1e\u6e90\u4e8e\u7a0b\u5e8f\u6ca1\u6709\u6b63\u786e\u9a8c\u8bc1\u8f93\u5165\u3002\u653b\u51fb\u8005\u53ef\u501f\u52a9\u7279\u5236HTTP\u8bf7\u6c42\u5229\u7528\u8be5\u6f0f\u6d1e\u9020\u6210Web\u7f13\u5b58\u4e2d\u6bd2\uff0c\u7ed5\u8fc7Web\u5e94\u7528\u7a0b\u5e8f\u9632\u706b\u5899\u4fdd\u62a4\u6216\u5b9e\u65bd\u8de8\u7ad9\u811a\u672c\u653b\u51fb\u3002\u76ee\u524d\uff0c\u4f9b\u5e94\u5546\u53d1\u5e03\u4e86\u5b89\u5168\u516c\u544a\u53ca\u76f8\u5173\u8865\u4e01\u4fe1\u606f\uff0c\u4fee\u590d\u4e86\u6b64\u6f0f\u6d1e\u3002",
  "patchName": "Squid\u73af\u5883\u95ee\u9898\u6f0f\u6d1e\u7684\u8865\u4e01",
  "products": {
    "product": [
      "Squid Squid \u003c4.12",
      "Squid Squid \u003e=5.0\uff0c\u003c5.0.3",
      "Squid Squid \u003e=4.0\uff0c\u003c4.12",
      "Squid Squid \u003e=3.1\uff0c\u003c3.5.28",
      "Squid Squid 2.7:stable2",
      "Squid Squid 2.7:stable3",
      "Squid Squid 2.7:stable4",
      "Squid Squid 2.7:stable8",
      "Squid Squid 2.7:stable9"
    ]
  },
  "referenceLink": "https://nvd.nist.gov/vuln/detail/CVE-2020-15049",
  "serverity": "\u4e2d",
  "submitTime": "2020-06-30",
  "title": "Squid\u73af\u5883\u95ee\u9898\u6f0f\u6d1e"
}

FKIE_CVE-2020-15049

Vulnerability from fkie_nvd - Published: 2020-06-30 18:15 - Updated: 2024-11-21 05:04

Severity ?

9.9 (Critical) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
8.8 (High) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Summary

References

URL	Tags
cve@mitre.org	http://lists.opensuse.org/opensuse-security-announce/2020-09/msg00012.html
cve@mitre.org	http://lists.opensuse.org/opensuse-security-announce/2020-09/msg00017.html
cve@mitre.org	http://www.squid-cache.org/Versions/v4/changesets/squid-4-ea12a34d338b962707d5078d6d1fc7c6eb119a22.patch	Patch, Vendor Advisory
cve@mitre.org	http://www.squid-cache.org/Versions/v5/changesets/squid-5-485c9a7bb1bba88754e07ad0094647ea57a6eb8d.patch	Patch, Vendor Advisory
cve@mitre.org	https://github.com/squid-cache/squid/security/advisories/GHSA-qf3v-rc95-96j5	Third Party Advisory
cve@mitre.org	https://lists.debian.org/debian-lts-announce/2020/10/msg00005.html
cve@mitre.org	https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/3RG5FGSTCAYVIJPJHIY3MRZ7NFT6HDO7/
cve@mitre.org	https://security.netapp.com/advisory/ntap-20210312-0001/
cve@mitre.org	https://usn.ubuntu.com/4551-1/
cve@mitre.org	https://www.debian.org/security/2020/dsa-4732
af854a3a-2127-422b-91ae-364da2661108	http://lists.opensuse.org/opensuse-security-announce/2020-09/msg00012.html
af854a3a-2127-422b-91ae-364da2661108	http://lists.opensuse.org/opensuse-security-announce/2020-09/msg00017.html
af854a3a-2127-422b-91ae-364da2661108	http://www.squid-cache.org/Versions/v4/changesets/squid-4-ea12a34d338b962707d5078d6d1fc7c6eb119a22.patch	Patch, Vendor Advisory
af854a3a-2127-422b-91ae-364da2661108	http://www.squid-cache.org/Versions/v5/changesets/squid-5-485c9a7bb1bba88754e07ad0094647ea57a6eb8d.patch	Patch, Vendor Advisory
af854a3a-2127-422b-91ae-364da2661108	https://github.com/squid-cache/squid/security/advisories/GHSA-qf3v-rc95-96j5	Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	https://lists.debian.org/debian-lts-announce/2020/10/msg00005.html
af854a3a-2127-422b-91ae-364da2661108	https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/3RG5FGSTCAYVIJPJHIY3MRZ7NFT6HDO7/
af854a3a-2127-422b-91ae-364da2661108	https://security.netapp.com/advisory/ntap-20210312-0001/
af854a3a-2127-422b-91ae-364da2661108	https://usn.ubuntu.com/4551-1/
af854a3a-2127-422b-91ae-364da2661108	https://www.debian.org/security/2020/dsa-4732

Impacted products

Vendor	Product	Version
squid-cache	squid	*
squid-cache	squid	*
squid-cache	squid	*
squid-cache	squid	*
squid-cache	squid	2.7
squid-cache	squid	2.7
squid-cache	squid	2.7
squid-cache	squid	2.7
squid-cache	squid	2.7
squid-cache	squid	2.7
squid-cache	squid	2.7
squid-cache	squid	2.7
squid-cache	squid	2.7
fedoraproject	fedora	31

JSON

To clipboard

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:squid-cache:squid:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "357FB8EB-55D7-40D8-918A-F8F2C1B6182A",
              "versionEndIncluding": "2.6",
              "versionStartIncluding": "2.0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:squid-cache:squid:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "E3828B8E-1FF7-4707-BB24-6C7CABC37362",
              "versionEndIncluding": "3.5.28",
              "versionStartIncluding": "3.1",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:squid-cache:squid:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "C3430B4A-4E1E-438D-9C84-4CFED6A3F023",
              "versionEndExcluding": "4.12",
              "versionStartIncluding": "4.0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:squid-cache:squid:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "137B599B-80D1-4903-8791-40F11BC3FCD9",
              "versionEndExcluding": "5.0.3",
              "versionStartIncluding": "5.0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:squid-cache:squid:2.7:*:*:*:*:*:*:*",
              "matchCriteriaId": "35C30CB9-FA3A-408D-A8B0-8805E75657BE",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:squid-cache:squid:2.7:stable2:*:*:*:*:*:*",
              "matchCriteriaId": "EFBB466C-C679-4B4B-87C2-E7853E5B3F04",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:squid-cache:squid:2.7:stable3:*:*:*:*:*:*",
              "matchCriteriaId": "A03692DD-779F-4E3C-861C-29943870A816",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:squid-cache:squid:2.7:stable4:*:*:*:*:*:*",
              "matchCriteriaId": "79FF6B3C-A3CE-4AA2-80F9-44D05A6B2F08",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:squid-cache:squid:2.7:stable5:*:*:*:*:*:*",
              "matchCriteriaId": "3CF6E367-D33B-4B60-8C40-4618C47D53E8",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:squid-cache:squid:2.7:stable6:*:*:*:*:*:*",
              "matchCriteriaId": "0FA1F4FE-629C-4489-A13C-017A824C840F",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:squid-cache:squid:2.7:stable7:*:*:*:*:*:*",
              "matchCriteriaId": "2479C5BF-94E1-4153-9FA3-333BC00F01D6",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:squid-cache:squid:2.7:stable8:*:*:*:*:*:*",
              "matchCriteriaId": "8ABFCCCC-7584-466E-97CC-6EBD3934A70E",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:squid-cache:squid:2.7:stable9:*:*:*:*:*:*",
              "matchCriteriaId": "F17E49BF-FB11-4EE6-B6AC-30914F381B2F",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    },
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:o:fedoraproject:fedora:31:*:*:*:*:*:*:*",
              "matchCriteriaId": "80F0FA5D-8D3B-4C0E-81E2-87998286AF33",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "An issue was discovered in http/ContentLengthInterpreter.cc in Squid before 4.12 and 5.x before 5.0.3. A Request Smuggling and Poisoning attack can succeed against the HTTP cache. The client sends an HTTP request with a Content-Length header containing \"+\\ \"-\" or an uncommon shell whitespace character prefix to the length field-value."
    },
    {
      "lang": "es",
      "value": "Se detect\u00f3 un problema en el archivo http/ContentLengthInterpreter.cc en Squid versiones anteriores a 4.12 y versiones 5.x anteriores a 5.0.3. Un ataque de Trafico No Autorizado de Peticiones y Envenenamiento puede tener \u00e9xito contra la memoria cach\u00e9 HTTP. El cliente env\u00eda una petici\u00f3n HTTP con un encabezado Content-Length que contiene \"+\\\"-\" o un prefijo del car\u00e1cter espacio en blanco de shell poco com\u00fan en el valor de campo de longitud"
    }
  ],
  "id": "CVE-2020-15049",
  "lastModified": "2024-11-21T05:04:41.830",
  "metrics": {
    "cvssMetricV2": [
      {
        "acInsufInfo": false,
        "baseSeverity": "MEDIUM",
        "cvssData": {
          "accessComplexity": "LOW",
          "accessVector": "NETWORK",
          "authentication": "SINGLE",
          "availabilityImpact": "PARTIAL",
          "baseScore": 6.5,
          "confidentialityImpact": "PARTIAL",
          "integrityImpact": "PARTIAL",
          "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P",
          "version": "2.0"
        },
        "exploitabilityScore": 8.0,
        "impactScore": 6.4,
        "obtainAllPrivilege": false,
        "obtainOtherPrivilege": false,
        "obtainUserPrivilege": false,
        "source": "nvd@nist.gov",
        "type": "Primary",
        "userInteractionRequired": false
      }
    ],
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "HIGH",
          "baseScore": 9.9,
          "baseSeverity": "CRITICAL",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "HIGH",
          "privilegesRequired": "LOW",
          "scope": "CHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H",
          "version": "3.1"
        },
        "exploitabilityScore": 3.1,
        "impactScore": 6.0,
        "source": "cve@mitre.org",
        "type": "Secondary"
      },
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "HIGH",
          "baseScore": 8.8,
          "baseSeverity": "HIGH",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "HIGH",
          "privilegesRequired": "LOW",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
          "version": "3.1"
        },
        "exploitabilityScore": 2.8,
        "impactScore": 5.9,
        "source": "nvd@nist.gov",
        "type": "Primary"
      }
    ]
  },
  "published": "2020-06-30T18:15:12.367",
  "references": [
    {
      "source": "cve@mitre.org",
      "url": "http://lists.opensuse.org/opensuse-security-announce/2020-09/msg00012.html"
    },
    {
      "source": "cve@mitre.org",
      "url": "http://lists.opensuse.org/opensuse-security-announce/2020-09/msg00017.html"
    },
    {
      "source": "cve@mitre.org",
      "tags": [
        "Patch",
        "Vendor Advisory"
      ],
      "url": "http://www.squid-cache.org/Versions/v4/changesets/squid-4-ea12a34d338b962707d5078d6d1fc7c6eb119a22.patch"
    },
    {
      "source": "cve@mitre.org",
      "tags": [
        "Patch",
        "Vendor Advisory"
      ],
      "url": "http://www.squid-cache.org/Versions/v5/changesets/squid-5-485c9a7bb1bba88754e07ad0094647ea57a6eb8d.patch"
    },
    {
      "source": "cve@mitre.org",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://github.com/squid-cache/squid/security/advisories/GHSA-qf3v-rc95-96j5"
    },
    {
      "source": "cve@mitre.org",
      "url": "https://lists.debian.org/debian-lts-announce/2020/10/msg00005.html"
    },
    {
      "source": "cve@mitre.org",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/3RG5FGSTCAYVIJPJHIY3MRZ7NFT6HDO7/"
    },
    {
      "source": "cve@mitre.org",
      "url": "https://security.netapp.com/advisory/ntap-20210312-0001/"
    },
    {
      "source": "cve@mitre.org",
      "url": "https://usn.ubuntu.com/4551-1/"
    },
    {
      "source": "cve@mitre.org",
      "url": "https://www.debian.org/security/2020/dsa-4732"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "http://lists.opensuse.org/opensuse-security-announce/2020-09/msg00012.html"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "http://lists.opensuse.org/opensuse-security-announce/2020-09/msg00017.html"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Patch",
        "Vendor Advisory"
      ],
      "url": "http://www.squid-cache.org/Versions/v4/changesets/squid-4-ea12a34d338b962707d5078d6d1fc7c6eb119a22.patch"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Patch",
        "Vendor Advisory"
      ],
      "url": "http://www.squid-cache.org/Versions/v5/changesets/squid-5-485c9a7bb1bba88754e07ad0094647ea57a6eb8d.patch"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://github.com/squid-cache/squid/security/advisories/GHSA-qf3v-rc95-96j5"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "https://lists.debian.org/debian-lts-announce/2020/10/msg00005.html"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/3RG5FGSTCAYVIJPJHIY3MRZ7NFT6HDO7/"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "https://security.netapp.com/advisory/ntap-20210312-0001/"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "https://usn.ubuntu.com/4551-1/"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "https://www.debian.org/security/2020/dsa-4732"
    }
  ],
  "sourceIdentifier": "cve@mitre.org",
  "vulnStatus": "Modified",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-444"
        }
      ],
      "source": "nvd@nist.gov",
      "type": "Primary"
    }
  ]
}

GSD-2020-15049

Vulnerability from gsd - Updated: 2023-12-13 01:21

Details

Aliases

CVE-2020-15049

Aliases

CVE-2020-15049

JSON

To clipboard

{
  "GSD": {
    "alias": "CVE-2020-15049",
    "description": "An issue was discovered in http/ContentLengthInterpreter.cc in Squid before 4.12 and 5.x before 5.0.3. A Request Smuggling and Poisoning attack can succeed against the HTTP cache. The client sends an HTTP request with a Content-Length header containing \"+\\ \"-\" or an uncommon shell whitespace character prefix to the length field-value.",
    "id": "GSD-2020-15049",
    "references": [
      "https://www.suse.com/security/cve/CVE-2020-15049.html",
      "https://www.debian.org/security/2020/dsa-4732",
      "https://access.redhat.com/errata/RHSA-2020:4743",
      "https://access.redhat.com/errata/RHSA-2020:4082",
      "https://ubuntu.com/security/CVE-2020-15049",
      "https://alas.aws.amazon.com/cve/html/CVE-2020-15049.html",
      "https://linux.oracle.com/cve/CVE-2020-15049.html"
    ]
  },
  "gsd": {
    "metadata": {
      "exploitCode": "unknown",
      "remediation": "unknown",
      "reportConfidence": "confirmed",
      "type": "vulnerability"
    },
    "osvSchema": {
      "aliases": [
        "CVE-2020-15049"
      ],
      "details": "An issue was discovered in http/ContentLengthInterpreter.cc in Squid before 4.12 and 5.x before 5.0.3. A Request Smuggling and Poisoning attack can succeed against the HTTP cache. The client sends an HTTP request with a Content-Length header containing \"+\\ \"-\" or an uncommon shell whitespace character prefix to the length field-value.",
      "id": "GSD-2020-15049",
      "modified": "2023-12-13T01:21:43.234363Z",
      "schema_version": "1.4.0"
    }
  },
  "namespaces": {
    "cve.org": {
      "CVE_data_meta": {
        "ASSIGNER": "cve@mitre.org",
        "ID": "CVE-2020-15049",
        "STATE": "PUBLIC"
      },
      "affects": {
        "vendor": {
          "vendor_data": [
            {
              "product": {
                "product_data": [
                  {
                    "product_name": "n/a",
                    "version": {
                      "version_data": [
                        {
                          "version_value": "n/a"
                        }
                      ]
                    }
                  }
                ]
              },
              "vendor_name": "n/a"
            }
          ]
        }
      },
      "data_format": "MITRE",
      "data_type": "CVE",
      "data_version": "4.0",
      "description": {
        "description_data": [
          {
            "lang": "eng",
            "value": "An issue was discovered in http/ContentLengthInterpreter.cc in Squid before 4.12 and 5.x before 5.0.3. A Request Smuggling and Poisoning attack can succeed against the HTTP cache. The client sends an HTTP request with a Content-Length header containing \"+\\ \"-\" or an uncommon shell whitespace character prefix to the length field-value."
          }
        ]
      },
      "impact": {
        "cvss": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "HIGH",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "HIGH",
          "privilegesRequired": "LOW",
          "scope": "CHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AC:L/AV:N/A:H/C:H/I:H/PR:L/S:C/UI:N",
          "version": "3.0"
        }
      },
      "problemtype": {
        "problemtype_data": [
          {
            "description": [
              {
                "lang": "eng",
                "value": "n/a"
              }
            ]
          }
        ]
      },
      "references": {
        "reference_data": [
          {
            "name": "http://www.squid-cache.org/Versions/v4/changesets/squid-4-ea12a34d338b962707d5078d6d1fc7c6eb119a22.patch",
            "refsource": "MISC",
            "url": "http://www.squid-cache.org/Versions/v4/changesets/squid-4-ea12a34d338b962707d5078d6d1fc7c6eb119a22.patch"
          },
          {
            "name": "http://www.squid-cache.org/Versions/v5/changesets/squid-5-485c9a7bb1bba88754e07ad0094647ea57a6eb8d.patch",
            "refsource": "MISC",
            "url": "http://www.squid-cache.org/Versions/v5/changesets/squid-5-485c9a7bb1bba88754e07ad0094647ea57a6eb8d.patch"
          },
          {
            "name": "https://github.com/squid-cache/squid/security/advisories/GHSA-qf3v-rc95-96j5",
            "refsource": "CONFIRM",
            "url": "https://github.com/squid-cache/squid/security/advisories/GHSA-qf3v-rc95-96j5"
          },
          {
            "name": "FEDORA-2020-cbebc5617e",
            "refsource": "FEDORA",
            "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/3RG5FGSTCAYVIJPJHIY3MRZ7NFT6HDO7/"
          },
          {
            "name": "DSA-4732",
            "refsource": "DEBIAN",
            "url": "https://www.debian.org/security/2020/dsa-4732"
          },
          {
            "name": "openSUSE-SU-2020:1346",
            "refsource": "SUSE",
            "url": "http://lists.opensuse.org/opensuse-security-announce/2020-09/msg00012.html"
          },
          {
            "name": "openSUSE-SU-2020:1369",
            "refsource": "SUSE",
            "url": "http://lists.opensuse.org/opensuse-security-announce/2020-09/msg00017.html"
          },
          {
            "name": "USN-4551-1",
            "refsource": "UBUNTU",
            "url": "https://usn.ubuntu.com/4551-1/"
          },
          {
            "name": "[debian-lts-announce] 20201002 [SECURITY] [DLA 2394-1] squid3 security update",
            "refsource": "MLIST",
            "url": "https://lists.debian.org/debian-lts-announce/2020/10/msg00005.html"
          },
          {
            "name": "https://security.netapp.com/advisory/ntap-20210312-0001/",
            "refsource": "CONFIRM",
            "url": "https://security.netapp.com/advisory/ntap-20210312-0001/"
          }
        ]
      }
    },
    "nvd.nist.gov": {
      "configurations": {
        "CVE_data_version": "4.0",
        "nodes": [
          {
            "children": [],
            "cpe_match": [
              {
                "cpe23Uri": "cpe:2.3:a:squid-cache:squid:*:*:*:*:*:*:*:*",
                "cpe_name": [],
                "versionEndIncluding": "2.6",
                "versionStartIncluding": "2.0",
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:squid-cache:squid:2.7:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:squid-cache:squid:2.7:stable2:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:squid-cache:squid:2.7:stable3:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:squid-cache:squid:2.7:stable4:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:squid-cache:squid:2.7:stable5:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:squid-cache:squid:2.7:stable6:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:squid-cache:squid:2.7:stable7:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:squid-cache:squid:2.7:stable8:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:squid-cache:squid:2.7:stable9:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:squid-cache:squid:*:*:*:*:*:*:*:*",
                "cpe_name": [],
                "versionEndIncluding": "3.5.28",
                "versionStartIncluding": "3.1",
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:squid-cache:squid:*:*:*:*:*:*:*:*",
                "cpe_name": [],
                "versionEndExcluding": "4.12",
                "versionStartIncluding": "4.0",
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:squid-cache:squid:*:*:*:*:*:*:*:*",
                "cpe_name": [],
                "versionEndExcluding": "5.0.3",
                "versionStartIncluding": "5.0",
                "vulnerable": true
              }
            ],
            "operator": "OR"
          },
          {
            "children": [],
            "cpe_match": [
              {
                "cpe23Uri": "cpe:2.3:o:fedoraproject:fedora:31:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              }
            ],
            "operator": "OR"
          }
        ]
      },
      "cve": {
        "CVE_data_meta": {
          "ASSIGNER": "cve@mitre.org",
          "ID": "CVE-2020-15049"
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "en",
              "value": "An issue was discovered in http/ContentLengthInterpreter.cc in Squid before 4.12 and 5.x before 5.0.3. A Request Smuggling and Poisoning attack can succeed against the HTTP cache. The client sends an HTTP request with a Content-Length header containing \"+\\ \"-\" or an uncommon shell whitespace character prefix to the length field-value."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "en",
                  "value": "CWE-444"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "http://www.squid-cache.org/Versions/v4/changesets/squid-4-ea12a34d338b962707d5078d6d1fc7c6eb119a22.patch",
              "refsource": "MISC",
              "tags": [
                "Patch",
                "Vendor Advisory"
              ],
              "url": "http://www.squid-cache.org/Versions/v4/changesets/squid-4-ea12a34d338b962707d5078d6d1fc7c6eb119a22.patch"
            },
            {
              "name": "https://github.com/squid-cache/squid/security/advisories/GHSA-qf3v-rc95-96j5",
              "refsource": "CONFIRM",
              "tags": [
                "Third Party Advisory"
              ],
              "url": "https://github.com/squid-cache/squid/security/advisories/GHSA-qf3v-rc95-96j5"
            },
            {
              "name": "http://www.squid-cache.org/Versions/v5/changesets/squid-5-485c9a7bb1bba88754e07ad0094647ea57a6eb8d.patch",
              "refsource": "MISC",
              "tags": [
                "Patch",
                "Vendor Advisory"
              ],
              "url": "http://www.squid-cache.org/Versions/v5/changesets/squid-5-485c9a7bb1bba88754e07ad0094647ea57a6eb8d.patch"
            },
            {
              "name": "FEDORA-2020-cbebc5617e",
              "refsource": "FEDORA",
              "tags": [
                "Third Party Advisory"
              ],
              "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/3RG5FGSTCAYVIJPJHIY3MRZ7NFT6HDO7/"
            },
            {
              "name": "DSA-4732",
              "refsource": "DEBIAN",
              "tags": [],
              "url": "https://www.debian.org/security/2020/dsa-4732"
            },
            {
              "name": "openSUSE-SU-2020:1346",
              "refsource": "SUSE",
              "tags": [],
              "url": "http://lists.opensuse.org/opensuse-security-announce/2020-09/msg00012.html"
            },
            {
              "name": "openSUSE-SU-2020:1369",
              "refsource": "SUSE",
              "tags": [],
              "url": "http://lists.opensuse.org/opensuse-security-announce/2020-09/msg00017.html"
            },
            {
              "name": "USN-4551-1",
              "refsource": "UBUNTU",
              "tags": [],
              "url": "https://usn.ubuntu.com/4551-1/"
            },
            {
              "name": "[debian-lts-announce] 20201002 [SECURITY] [DLA 2394-1] squid3 security update",
              "refsource": "MLIST",
              "tags": [],
              "url": "https://lists.debian.org/debian-lts-announce/2020/10/msg00005.html"
            },
            {
              "name": "https://security.netapp.com/advisory/ntap-20210312-0001/",
              "refsource": "CONFIRM",
              "tags": [],
              "url": "https://security.netapp.com/advisory/ntap-20210312-0001/"
            }
          ]
        }
      },
      "impact": {
        "baseMetricV2": {
          "acInsufInfo": false,
          "cvssV2": {
            "accessComplexity": "LOW",
            "accessVector": "NETWORK",
            "authentication": "SINGLE",
            "availabilityImpact": "PARTIAL",
            "baseScore": 6.5,
            "confidentialityImpact": "PARTIAL",
            "integrityImpact": "PARTIAL",
            "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P",
            "version": "2.0"
          },
          "exploitabilityScore": 8.0,
          "impactScore": 6.4,
          "obtainAllPrivilege": false,
          "obtainOtherPrivilege": false,
          "obtainUserPrivilege": false,
          "severity": "MEDIUM",
          "userInteractionRequired": false
        },
        "baseMetricV3": {
          "cvssV3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 8.8,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.1"
          },
          "exploitabilityScore": 2.8,
          "impactScore": 5.9
        }
      },
      "lastModifiedDate": "2021-03-12T13:15Z",
      "publishedDate": "2020-06-30T18:15Z"
    }
  }
}

OPENSUSE-SU-2020:1346-1

Vulnerability from csaf_opensuse - Published: 2020-09-05 12:23 - Updated: 2020-09-05 12:23

Summary

Security update for squid

Severity

Critical

Notes

Title of the patch: Security update for squid

Description of the patch: This update for squid fixes the following issues: squid was updated to version 4.13: - CVE-2020-24606: Fix livelocking in peerDigestHandleReply (bsc#1175671). - CVE-2020-15811: Improve Transfer-Encoding handling (bsc#1175665). - CVE-2020-15810: Enforce token characters for field-name (bsc#1175664). This update was imported from the SUSE:SLE-15:Update update project.

Patchnames: openSUSE-2020-1346

CVE-2020-15049

8.5 (High)


                        
                          CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H

Affected products

Recommended 1 product

Product	Identifier	Version	Remediation
Unresolved product id: openSUSE Leap 15.1:squid-4.13-lp151.2.24.1.x86_64		—	Vendor Fix

Threats

Impact important

CVE-2020-15810

9.6 (Critical)


                        
                          CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N

Affected products

Recommended 1 product

Product	Identifier	Version	Remediation
Unresolved product id: openSUSE Leap 15.1:squid-4.13-lp151.2.24.1.x86_64		—	Vendor Fix

Threats

Impact critical

CVE-2020-15811

9.6 (Critical)


                        
                          CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N

Affected products

Recommended 1 product

Product	Identifier	Version	Remediation
Unresolved product id: openSUSE Leap 15.1:squid-4.13-lp151.2.24.1.x86_64		—	Vendor Fix

Threats

Impact critical

CVE-2020-24606

7.7 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H

Affected products

Recommended 1 product

Product	Identifier	Version	Remediation
Unresolved product id: openSUSE Leap 15.1:squid-4.13-lp151.2.24.1.x86_64		—	Vendor Fix

Threats

Impact important

References

21 references

URL	Category
https://www.suse.com/support/security/rating/	external
https://ftp.suse.com/pub/projects/security/csaf/o…	self
https://lists.opensuse.org/archives/list/security…	self
https://lists.opensuse.org/archives/list/security…	self
https://bugzilla.suse.com/1173455	self
https://bugzilla.suse.com/1175664	self
https://bugzilla.suse.com/1175665	self
https://bugzilla.suse.com/1175671	self
https://www.suse.com/security/cve/CVE-2020-15049/	self
https://www.suse.com/security/cve/CVE-2020-15810/	self
https://www.suse.com/security/cve/CVE-2020-15811/	self
https://www.suse.com/security/cve/CVE-2020-24606/	self
https://www.suse.com/security/cve/CVE-2020-15049	external
https://bugzilla.suse.com/1173455	external
https://bugzilla.suse.com/1174381	external
https://www.suse.com/security/cve/CVE-2020-15810	external
https://bugzilla.suse.com/1175664	external
https://www.suse.com/security/cve/CVE-2020-15811	external
https://bugzilla.suse.com/1175665	external
https://www.suse.com/security/cve/CVE-2020-24606	external
https://bugzilla.suse.com/1175671	external

JSON

To clipboard

{
  "document": {
    "aggregate_severity": {
      "namespace": "https://www.suse.com/support/security/rating/",
      "text": "critical"
    },
    "category": "csaf_security_advisory",
    "csaf_version": "2.0",
    "distribution": {
      "text": "Copyright 2024 SUSE LLC. All rights reserved.",
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "en",
    "notes": [
      {
        "category": "summary",
        "text": "Security update for squid",
        "title": "Title of the patch"
      },
      {
        "category": "description",
        "text": "This update for squid fixes the following issues:\n\nsquid was updated to version 4.13:\n\n- CVE-2020-24606: Fix livelocking in peerDigestHandleReply (bsc#1175671).\n- CVE-2020-15811: Improve Transfer-Encoding handling (bsc#1175665).\n- CVE-2020-15810: Enforce token characters for field-name (bsc#1175664).\n\nThis update was imported from the SUSE:SLE-15:Update update project.",
        "title": "Description of the patch"
      },
      {
        "category": "details",
        "text": "openSUSE-2020-1346",
        "title": "Patchnames"
      },
      {
        "category": "legal_disclaimer",
        "text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
        "title": "Terms of use"
      }
    ],
    "publisher": {
      "category": "vendor",
      "contact_details": "https://www.suse.com/support/security/contact/",
      "name": "SUSE Product Security Team",
      "namespace": "https://www.suse.com/"
    },
    "references": [
      {
        "category": "external",
        "summary": "SUSE ratings",
        "url": "https://www.suse.com/support/security/rating/"
      },
      {
        "category": "self",
        "summary": "URL of this CSAF notice",
        "url": "https://ftp.suse.com/pub/projects/security/csaf/opensuse-su-2020_1346-1.json"
      },
      {
        "category": "self",
        "summary": "URL for openSUSE-SU-2020:1346-1",
        "url": "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/7ZLGD6G3KY7JU2TB5YQO7CEN77XZWRYS/"
      },
      {
        "category": "self",
        "summary": "E-Mail link for openSUSE-SU-2020:1346-1",
        "url": "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/7ZLGD6G3KY7JU2TB5YQO7CEN77XZWRYS/"
      },
      {
        "category": "self",
        "summary": "SUSE Bug 1173455",
        "url": "https://bugzilla.suse.com/1173455"
      },
      {
        "category": "self",
        "summary": "SUSE Bug 1175664",
        "url": "https://bugzilla.suse.com/1175664"
      },
      {
        "category": "self",
        "summary": "SUSE Bug 1175665",
        "url": "https://bugzilla.suse.com/1175665"
      },
      {
        "category": "self",
        "summary": "SUSE Bug 1175671",
        "url": "https://bugzilla.suse.com/1175671"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2020-15049 page",
        "url": "https://www.suse.com/security/cve/CVE-2020-15049/"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2020-15810 page",
        "url": "https://www.suse.com/security/cve/CVE-2020-15810/"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2020-15811 page",
        "url": "https://www.suse.com/security/cve/CVE-2020-15811/"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2020-24606 page",
        "url": "https://www.suse.com/security/cve/CVE-2020-24606/"
      }
    ],
    "title": "Security update for squid",
    "tracking": {
      "current_release_date": "2020-09-05T12:23:36Z",
      "generator": {
        "date": "2020-09-05T12:23:36Z",
        "engine": {
          "name": "cve-database.git:bin/generate-csaf.pl",
          "version": "1"
        }
      },
      "id": "openSUSE-SU-2020:1346-1",
      "initial_release_date": "2020-09-05T12:23:36Z",
      "revision_history": [
        {
          "date": "2020-09-05T12:23:36Z",
          "number": "1",
          "summary": "Current version"
        }
      ],
      "status": "final",
      "version": "1"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_version",
                "name": "squid-4.13-lp151.2.24.1.x86_64",
                "product": {
                  "name": "squid-4.13-lp151.2.24.1.x86_64",
                  "product_id": "squid-4.13-lp151.2.24.1.x86_64"
                }
              }
            ],
            "category": "architecture",
            "name": "x86_64"
          },
          {
            "branches": [
              {
                "category": "product_name",
                "name": "openSUSE Leap 15.1",
                "product": {
                  "name": "openSUSE Leap 15.1",
                  "product_id": "openSUSE Leap 15.1",
                  "product_identification_helper": {
                    "cpe": "cpe:/o:opensuse:leap:15.1"
                  }
                }
              }
            ],
            "category": "product_family",
            "name": "SUSE Linux Enterprise"
          }
        ],
        "category": "vendor",
        "name": "SUSE"
      }
    ],
    "relationships": [
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "squid-4.13-lp151.2.24.1.x86_64 as component of openSUSE Leap 15.1",
          "product_id": "openSUSE Leap 15.1:squid-4.13-lp151.2.24.1.x86_64"
        },
        "product_reference": "squid-4.13-lp151.2.24.1.x86_64",
        "relates_to_product_reference": "openSUSE Leap 15.1"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2020-15049",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2020-15049"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "An issue was discovered in http/ContentLengthInterpreter.cc in Squid before 4.12 and 5.x before 5.0.3. A Request Smuggling and Poisoning attack can succeed against the HTTP cache. The client sends an HTTP request with a Content-Length header containing \"+\\ \"-\" or an uncommon shell whitespace character prefix to the length field-value.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "openSUSE Leap 15.1:squid-4.13-lp151.2.24.1.x86_64"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2020-15049",
          "url": "https://www.suse.com/security/cve/CVE-2020-15049"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1173455 for CVE-2020-15049",
          "url": "https://bugzilla.suse.com/1173455"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1174381 for CVE-2020-15049",
          "url": "https://bugzilla.suse.com/1174381"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "openSUSE Leap 15.1:squid-4.13-lp151.2.24.1.x86_64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 8.5,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H",
            "version": "3.1"
          },
          "products": [
            "openSUSE Leap 15.1:squid-4.13-lp151.2.24.1.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2020-09-05T12:23:36Z",
          "details": "important"
        }
      ],
      "title": "CVE-2020-15049"
    },
    {
      "cve": "CVE-2020-15810",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2020-15810"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "An issue was discovered in Squid before 4.13 and 5.x before 5.0.4. Due to incorrect data validation, HTTP Request Smuggling attacks may succeed against HTTP and HTTPS traffic. This leads to cache poisoning. This allows any client, including browser scripts, to bypass local security and poison the proxy cache and any downstream caches with content from an arbitrary source. When configured for relaxed header parsing (the default), Squid relays headers containing whitespace characters to upstream servers. When this occurs as a prefix to a Content-Length header, the frame length specified will be ignored by Squid (allowing for a conflicting length to be used from another Content-Length header) but relayed upstream.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "openSUSE Leap 15.1:squid-4.13-lp151.2.24.1.x86_64"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2020-15810",
          "url": "https://www.suse.com/security/cve/CVE-2020-15810"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1175664 for CVE-2020-15810",
          "url": "https://bugzilla.suse.com/1175664"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "openSUSE Leap 15.1:squid-4.13-lp151.2.24.1.x86_64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 9.6,
            "baseSeverity": "CRITICAL",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N",
            "version": "3.1"
          },
          "products": [
            "openSUSE Leap 15.1:squid-4.13-lp151.2.24.1.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2020-09-05T12:23:36Z",
          "details": "critical"
        }
      ],
      "title": "CVE-2020-15810"
    },
    {
      "cve": "CVE-2020-15811",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2020-15811"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "An issue was discovered in Squid before 4.13 and 5.x before 5.0.4. Due to incorrect data validation, HTTP Request Splitting attacks may succeed against HTTP and HTTPS traffic. This leads to cache poisoning. This allows any client, including browser scripts, to bypass local security and poison the browser cache and any downstream caches with content from an arbitrary source. Squid uses a string search instead of parsing the Transfer-Encoding header to find chunked encoding. This allows an attacker to hide a second request inside Transfer-Encoding: it is interpreted by Squid as chunked and split out into a second request delivered upstream. Squid will then deliver two distinct responses to the client, corrupting any downstream caches.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "openSUSE Leap 15.1:squid-4.13-lp151.2.24.1.x86_64"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2020-15811",
          "url": "https://www.suse.com/security/cve/CVE-2020-15811"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1175665 for CVE-2020-15811",
          "url": "https://bugzilla.suse.com/1175665"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "openSUSE Leap 15.1:squid-4.13-lp151.2.24.1.x86_64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 9.6,
            "baseSeverity": "CRITICAL",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N",
            "version": "3.1"
          },
          "products": [
            "openSUSE Leap 15.1:squid-4.13-lp151.2.24.1.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2020-09-05T12:23:36Z",
          "details": "critical"
        }
      ],
      "title": "CVE-2020-15811"
    },
    {
      "cve": "CVE-2020-24606",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2020-24606"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "Squid before 4.13 and 5.x before 5.0.4 allows a trusted peer to perform Denial of Service by consuming all available CPU cycles during handling of a crafted Cache Digest response message. This only occurs when cache_peer is used with the cache digests feature. The problem exists because peerDigestHandleReply() livelocking in peer_digest.cc mishandles EOF.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "openSUSE Leap 15.1:squid-4.13-lp151.2.24.1.x86_64"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2020-24606",
          "url": "https://www.suse.com/security/cve/CVE-2020-24606"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1175671 for CVE-2020-24606",
          "url": "https://bugzilla.suse.com/1175671"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "openSUSE Leap 15.1:squid-4.13-lp151.2.24.1.x86_64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 7.7,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H",
            "version": "3.1"
          },
          "products": [
            "openSUSE Leap 15.1:squid-4.13-lp151.2.24.1.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2020-09-05T12:23:36Z",
          "details": "important"
        }
      ],
      "title": "CVE-2020-24606"
    }
  ]
}

Tags

Taxonomy of the tags.

All sightings related to this event Export sightings related to this event

Experimental. This forecast is provided for visualization only and may change without notice. Do not use it for operational decisions.

Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author	Source	Type	Date	Other

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2020-15049 (GCVE-0-2020-15049)

Solution

Solution

Solution

Solution

Vulnerability from osv_almalinux

Tags

Sightings

Nomenclature