CVE-2019-18677Cross-Site Request Forgery in Squid

CWE-352Cross-Site Request ForgeryCWE-79Cross-site Scripting9 documents8 sources
Severity
6.1MEDIUMNVD
EPSS
4.2%
top 11.23%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
4
SquidSquid-cache SquidCanonical Ubuntu Linux+1 more
Timeline
PublishedNov 26
Latest updateMay 24

Description

An issue was discovered in Squid 3.x and 4.x through 4.8 when the append_domain setting is used (because the appended characters do not properly interact with hostname length restrictions). Due to incorrect message processing, it can inappropriately redirect traffic to origins it should not be delivered to.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:NExploitability: 2.8 | Impact: 2.7

Affected Packages2 packages

Debiansquid/squid< 4.9-1+3
NVDsquid-cache/squid2.02.7+3

Also affects: Fedora 30, 31, Ubuntu Linux 16.04, 18.04, 19.04, 19.10

Patches

Patch: github.comPatch: github.com

🔴Vulnerability Details

3
GHSA
GHSA-mm65-p7g9-c5hr: An issue was discovered in Squid 32022-05-24
OSV
CVE-2019-18677: An issue was discovered in Squid 32019-11-26
CVEList
CVE-2019-18677: An issue was discovered in Squid 32019-11-26

📋Vendor Advisories

3
Ubuntu
Squid vulnerabilities2019-12-04
Red Hat
squid: Cross-Site Request Forgery issue in HTTP Request processing2019-11-05
Debian
CVE-2019-18677: squid - An issue was discovered in Squid 3.x and 4.x through 4.8 when the append_domain ...2019

💬Community

2
Bugzilla
CVE-2019-18677 squid: Cross-Site Request Forgery issue in HTTP Request processing [fedora-all]2019-11-08
Bugzilla
CVE-2019-18677 squid: Cross-Site Request Forgery issue in HTTP Request processing2019-11-08
CVE-2019-18677 — Cross-Site Request Forgery in Squid | cvebase