#VU22587 Inconsistent interpretation of HTTP requests in Squid - CVE-2019-18678


Vulnerability identifier: #VU22587

Vulnerability risk: Medium

CVSSv4.0: 1.2 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green]

CVE-ID: CVE-2019-18678

CWE-ID: CWE-444

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
Squid
Server applications / IDS/IPS systems, Firewalls and proxy servers

Vendor: Squid-cache.org

Description

The vulnerability allows a remote attacker to perform HTTP request smuggling attack.

The vulnerability exists due to insufficient validation of HTTP request headers in Squid. A remote attacker can initiate a specially crafted HTTP request that will cause the software to split HTTP request and display to the end user content, controlled by the attacker at arbitrary URL.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

Squid: 3.0.stable1 - 3.5.28, 4.0.1 - 4.8

External links
https://www.squid-cache.org/Advisories/SQUID-2019_10.txt

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.


Latest bulletins with this vulnerability


Anolis OS update for squid:4 (Anolis OS 8.4) module
Red Hat Enterprise Linux 8 update for the squid:4 module
Debian update for squid
Gentoo update for Squid
Ubuntu update for Squid
OpenSUSE Linux update for squid
OpenSUSE Linux update for squid
Arch Linux update for squid
Multiple vulnerabilities in Squid proxy server