CVE-2015-3455 — Improper Input Validation in Squid

CWE-20 — Improper Input Validation CWE-697 — Incorrect Comparison CWE-297 — Improper Validation of Certificate with Host Mismatch8 documents7 sources

Severity

2.6LOWNVD

EPSS

6.5%

top 8.89%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Squid Fedoraproject Fedora Oracle Linux +2 more

Timeline

PublishedMay 18

Latest updateMay 13

Description

Squid 3.2.x before 3.2.14, 3.3.x before 3.3.14, 3.4.x before 3.4.13, and 3.5.x before 3.5.4, when configured with client-first SSL-bump, do not properly validate the domain or hostname fields of X.509 certificates, which allows man-in-the-middle attackers to spoof SSL servers via a valid certificate.

CVSS vector

AV:N/AC:H/C:N/I:P/A:NExploitability: 4.9 | Impact: 2.9

Affected Packages4 packages

▶Debiansquid/squid< 4.1-1+3

▶NVDsquid-cache/squid70 versions+69

▶NVDoracle/linux7

▶NVDoracle/solaris11.2

Also affects: Fedora 22

🔴Vulnerability Details

GHSA

GHSA-5r9c-4h43-4v5m: Squid 3↗2022-05-13

▶

CVEList

CVE-2015-3455: Squid 3↗2015-05-18

▶

OSV

CVE-2015-3455: Squid 3↗2015-05-18

▶

📋Vendor Advisories

Red Hat

squid: incorrect X509 server certificate validation (SQUID-2015:1)↗2015-05-01

▶

Debian

CVE-2015-3455: squid - Squid 3.2.x before 3.2.14, 3.3.x before 3.3.14, 3.4.x before 3.4.13, and 3.5.x b...↗2015

▶

💬Community

Bugzilla

CVE-2015-3455 squid: incorrect X509 server certificate validation (SQUID-2015:1)↗2015-05-04

▶

Bugzilla

CVE-2015-3455 squid: incorrect X509 server certificate validation (SQUID-2015:1) [fedora-all]↗2015-05-04

▶