CVE-2019-18678 — HTTP Request Smuggling in Squid

CWE-444 — HTTP Request Smuggling CWE-20 — Improper Input Validation10 documents9 sources

Severity

5.3MEDIUMNVD

EPSS

10.0%

top 6.96%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Squid Squid-cache Squid Canonical Ubuntu Linux +2 more

Timeline

PublishedNov 26

Latest updateMay 24

Description

An issue was discovered in Squid 3.x and 4.x through 4.8. It allows attackers to smuggle HTTP requests through frontend software to a Squid instance that splits the HTTP Request pipeline differently. The resulting Response messages corrupt caches (between a client and Squid) with attacker-controlled content at arbitrary URLs. Effects are isolated to software between the attacker client and Squid. There are no effects on Squid itself, nor on any upstream servers. The issue is related to a request…

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:NExploitability: 3.9 | Impact: 1.4

Affected Packages2 packages

▶Debiansquid/squid< 4.9-1+3

▶NVDsquid-cache/squid3.0 — 3.5.28+1

Also affects: Debian Linux 8.0, Fedora 30, 31, Ubuntu Linux 16.04, 18.04, 19.04, 19.10

Patches

Patch: github.com ↗Patch: github.com ↗

🔴Vulnerability Details

GHSA

GHSA-jvgf-c7c2-w98p: An issue was discovered in Squid 3↗2022-05-24

▶

CVEList

CVE-2019-18678: An issue was discovered in Squid 3↗2019-11-26

▶

OSV

CVE-2019-18678: An issue was discovered in Squid 3↗2019-11-26

▶

📋Vendor Advisories

Ubuntu

Squid vulnerabilities↗2019-12-04

▶

Red Hat

squid: HTTP Request Splitting issue in HTTP message processing↗2019-11-05

▶

Debian

CVE-2019-18678: squid - An issue was discovered in Squid 3.x and 4.x through 4.8. It allows attackers to...↗2019

▶

💬Community

Bugzilla

CVE-2019-18678 squid: HTTP Request Splitting issue in HTTP message processing↗2019-11-08

▶

Bugzilla

CVE-2019-18678 squid: HTTP Request Splitting issue in HTTP message processing [fedora-all]↗2019-11-08

▶