CVE-2019-18860 — Injection in Squid

CWE-74 — Injection CWE-20 — Improper Input Validation CWE-79 — Cross-site Scripting9 documents8 sources

Severity

6.1MEDIUMNVD

EPSS

4.3%

top 11.06%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Squid Squid-cache Squid Canonical Ubuntu Linux +2 more

Timeline

PublishedMar 20

Latest updateMay 24

Description

Squid before 4.9, when certain web browsers are used, mishandles HTML in the host (aka hostname) parameter to cachemgr.cgi.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:NExploitability: 2.8 | Impact: 2.7

Affected Packages3 packages

▶NVDsquid-cache/squid< 4.9

▶Debiansquid/squid< 4.9-1+3

▶NVDopensuse/leap15.1

Also affects: Debian Linux 10.0, 9.0, Ubuntu Linux 16.04, 18.04, 19.10, 20.04

Patches

Patch: github.com ↗Patch: github.com ↗Patch: github.com ↗

🔴Vulnerability Details

GHSA

GHSA-f3c4-4h69-w2fp: Squid before 4↗2022-05-24

▶

OSV

squid, squid3 vulnerabilities↗2020-05-13

▶

CVEList

CVE-2019-18860: Squid before 4↗2020-03-20

▶

OSV

CVE-2019-18860: Squid before 4↗2020-03-20

▶

📋Vendor Advisories

Ubuntu

Squid vulnerabilities↗2020-05-13

▶

Red Hat

squid: Mishandled HTML in the host parameter to cachemgr.cgi results in insecure behaviour↗2019-11-03

▶

Debian

CVE-2019-18860: squid - Squid before 4.9, when certain web browsers are used, mishandles HTML in the hos...↗2019

▶

💬Community

Bugzilla

CVE-2019-18860 squid: Mishandled HTML in the host parameter to cachemgr.cgi results in insecure behaviour↗2020-03-25

▶