CVE-2022-41317 — Incorrect Comparison in Squid

CWE-697 — Incorrect Comparison CWE-284 — Improper Access Control CWE-200 — Sensitive Information Exposure7 documents6 sources

Severity

6.5MEDIUMNVD

EPSS

1.2%

top 20.72%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Squid Squid-cache Squid

Timeline

PublishedDec 25

Description

An issue was discovered in Squid 4.9 through 4.17 and 5.0.6 through 5.6. Due to inconsistent handling of internal URIs, there can be Exposure of Sensitive Information about clients using the proxy via an HTTPS request to an internal cache manager URL. This is fixed in 5.7.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:NExploitability: 2.8 | Impact: 3.6

Affected Packages3 packages

▶NVDsquid-cache/squid5.0.6 — 5.7+1

▶Debiansquid/squid< 4.13-10+deb11u2+3

▶Ubuntusquid/squid< 4.10-1ubuntu1.7+1

Patches

Patch: www.squid-cache.org ↗Patch: www.squid-cache.org ↗Patch: github.com ↗

🔴Vulnerability Details

OSV

CVE-2022-41317: An issue was discovered in Squid 4↗2022-12-25

▶

CVEList

CVE-2022-41317: An issue was discovered in Squid 4↗2022-12-25

▶

OSV

squid, squid3 vulnerabilities↗2022-09-26

▶

📋Vendor Advisories

Ubuntu

Squid vulnerabilities↗2022-09-26

▶

Red Hat

squid: exposure of sensitive information in cache manager↗2022-09-23

▶

Debian

CVE-2022-41317: squid - An issue was discovered in Squid 4.9 through 4.17 and 5.0.6 through 5.6. Due to ...↗2022

▶