CVE-2020-15811 — Incorrect Comparison in Squid
Severity
6.5MEDIUMNVD
EPSS
0.3%
top 51.48%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
Timeline
PublishedSep 2
Latest updateSep 28
Description
An issue was discovered in Squid before 4.13 and 5.x before 5.0.4. Due to incorrect data validation, HTTP Request Splitting attacks may succeed against HTTP and HTTPS traffic. This leads to cache poisoning. This allows any client, including browser scripts, to bypass local security and poison the browser cache and any downstream caches with content from an arbitrary source. Squid uses a string search instead of parsing the Transfer-Encoding header to find chunked encoding. This allows an attacke…
CVSS vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:NExploitability: 2.8 | Impact: 3.6
Affected Packages4 packages
Also affects: Debian Linux 10.0, 9.0, Fedora 31, 32, 33, Ubuntu Linux 16.04, 18.04, 20.04