CVE-2015-5400 — Sensitive Information Exposure in Squid

CWE-264 CWE-200 — Sensitive Information Exposure CWE-391 — Unchecked Error Condition CWE-392 — Missing Report of Error Condition7 documents7 sources

Severity

6.8MEDIUMNVD

EPSS

19.8%

top 4.55%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Squid Squid-cache Squid Debian Linux +1 more

Timeline

PublishedSep 28

Latest updateMay 17

Description

Squid before 3.5.6 does not properly handle CONNECT method peer responses when configured with cache_peer, which allows remote attackers to bypass intended restrictions and gain access to a backend proxy via a CONNECT request.

CVSS vector

AV:N/AC:M/C:P/I:P/A:PExploitability: 8.6 | Impact: 6.4

Affected Packages2 packages

▶Debiansquid/squid< 4.1-1+3

▶NVDsquid-cache/squid3.5.2

Also affects: Debian Linux 7.0, 8.0, Fedora 22

🔴Vulnerability Details

GHSA

GHSA-9pj4-fqm8-w5x7: Squid before 3↗2022-05-17

▶

CVEList

CVE-2015-5400: Squid before 3↗2015-09-28

▶

OSV

CVE-2015-5400: Squid before 3↗2015-09-28

▶

📋Vendor Advisories

Red Hat

squid: information disclosure due to incorrect handling of peer responses in tunnel.cc (SQUID-2015:2)↗2015-07-06

▶

Debian

CVE-2015-5400: squid - Squid before 3.5.6 does not properly handle CONNECT method peer responses when c...↗2015

▶

💬Community

Bugzilla

CVE-2015-5400 squid: information disclosure due to incorrect handling of peer responses in tunnel.cc (SQUID-2015:2)↗2015-07-07

▶