CVE-2016-10003 — Incorrect Comparison in Squid

CWE-697 — Incorrect Comparison CWE-200 — Sensitive Information Exposure9 documents7 sources

Severity

7.5HIGHNVD

EPSS

1.8%

top 17.32%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Squid Squid-cache Squid

Timeline

PublishedJan 27

Latest updateMay 17

Description

Incorrect HTTP Request header comparison in Squid HTTP Proxy 3.5.0.1 through 3.5.22, and 4.0.1 through 4.0.16 results in Collapsed Forwarding feature mistakenly identifying some private responses as being suitable for delivery to multiple clients.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:NExploitability: 3.9 | Impact: 3.6

Affected Packages2 packages

▶NVDsquid-cache/squid3.5.0.1 — 3.5.23+1

▶Alpinesquid/squid< 3.5.23-r0+1

Patches

Patch: www.openwall.com ↗Patch: www.squid-cache.org ↗Patch: www.openwall.com ↗

🔴Vulnerability Details

GHSA

GHSA-96r9-hr2x-h9g7: Incorrect HTTP Request header comparison in Squid HTTP Proxy 3↗2022-05-17

▶

OSV

squid3 vulnerabilities↗2017-02-06

▶

CVEList

CVE-2016-10003: Incorrect HTTP Request header comparison in Squid HTTP Proxy 3↗2017-01-27

▶

OSV

CVE-2016-10003: Incorrect HTTP Request header comparison in Squid HTTP Proxy 3↗2017-01-27

▶

📋Vendor Advisories

Ubuntu

Squid vulnerabilities↗2017-02-06

▶

Red Hat

squid: Information disclosure in Collapsed forwarding↗2016-12-16

▶

💬Community

Bugzilla

CVE-2016-10003 squid: Information disclosure in Collapsed forwarding↗2016-12-19

▶

Bugzilla

CVE-2016-10002 CVE-2016-10003 squid: various flaws [fedora-all]↗2016-12-19

▶