CVE - CVE-2019-18678

CVE-ID
CVE-2019-18678	Learn more at National Vulnerability Database (NVD) • CVSS Severity Rating • Fix Information • Vulnerable Software Versions • SCAP Mappings • CPE Information
Description
An issue was discovered in Squid 3.x and 4.x through 4.8. It allows attackers to smuggle HTTP requests through frontend software to a Squid instance that splits the HTTP Request pipeline differently. The resulting Response messages corrupt caches (between a client and Squid) with attacker-controlled content at arbitrary URLs. Effects are isolated to software between the attacker client and Squid. There are no effects on Squid itself, nor on any upstream servers. The issue is related to a request header containing whitespace between a header name and a colon.
References
Note: References are provided for the convenience of the reader to help distinguish between vulnerabilities. The list is not intended to be complete.
CONFIRM:http://www.squid-cache.org/Advisories/SQUID-2019_10.txt CONFIRM:http://www.squid-cache.org/Versions/v4/changesets/squid-4-671ba97abe929156dc4c717ee52ad22fba0f7443.patch CONFIRM:https://bugzilla.suse.com/show_bug.cgi?id=1156323 DEBIAN:DSA-4682 URL:https://www.debian.org/security/2020/dsa-4682 FEDORA:FEDORA-2019-0b16cbdd0e URL:https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UEMOYTMCCFWK5NOXSXEIH5D2VGWVXR67/ FEDORA:FEDORA-2019-9538783033 URL:https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/MTM74TU2BSLT5B3H4F3UDW53672NVLMC/ GENTOO:GLSA-202003-34 URL:https://security.gentoo.org/glsa/202003-34 MISC:https://github.com/squid-cache/squid/pull/445 MLIST:[debian-lts-announce] 20191210 [SECURITY] [DLA 2028-1] squid3 security update URL:https://lists.debian.org/debian-lts-announce/2019/12/msg00011.html MLIST:[debian-lts-announce] 20200710 [SECURITY] [DLA 2278-1] squid3 security update URL:https://lists.debian.org/debian-lts-announce/2020/07/msg00009.html UBUNTU:USN-4213-1 URL:https://usn.ubuntu.com/4213-1/
Assigning CNA
MITRE Corporation
Date Record Created
20191104	Disclaimer: The record creation date may reflect when the CVE ID was allocated or reserved, and does not necessarily indicate when this vulnerability was discovered, shared with the affected vendor, publicly disclosed, or updated in CVE.
Phase (Legacy)
Assigned (20191104)
Votes (Legacy)

Comments (Legacy)

Proposed (Legacy)
N/A
This is an record on the CVE List, which provides common identifiers for publicly known cybersecurity vulnerabilities.
Search CVE Using Keywords: You can also search by reference using the CVE Reference Maps.
For More Information: CVE Request Web Form (select "Other" from dropdown)