CVE-2012-2213 — Squid vulnerability

CWE-2645 documents5 sources

Severity

5.0MEDIUMNVD

EPSS

2.1%

top 15.84%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Squid-cache Squid

Timeline

PublishedApr 28

Latest updateMay 17

Description

Squid 3.1.9 allows remote attackers to bypass the access configuration for the CONNECT method by providing an arbitrary allowed hostname in the Host HTTP header. NOTE: this issue might not be reproducible, because the researcher is unable to provide a squid.conf file for a vulnerable system, and the observed behavior is consistent with a squid.conf file that was (perhaps inadvertently) designed to allow access based on a "req_header Host" acl regex that matches www.uol.com.br

CVSS vector

AV:N/AC:L/C:P/I:N/A:NExploitability: 10.0 | Impact: 2.9

Affected Packages1 packages

▶NVDsquid-cache/squid3.1.9

🔴Vulnerability Details

GHSA

GHSA-4xhr-2rmp-vfjq: ** DISPUTED ** Squid 3↗2022-05-17

▶

CVEList

CVE-2012-2213: Squid 3↗2012-04-28

▶

📋Vendor Advisories

Red Hat

squid: URL filtering bypass↗2012-04-16

▶

💬Community

Bugzilla

CVE-2012-2213 squid: URL filtering bypass↗2012-04-30

▶