CVE-2019-18678
Publication date 26 November 2019
Last updated 24 July 2024
Ubuntu priority
An issue was discovered in Squid 3.x and 4.x through 4.8. It allows attackers to smuggle HTTP requests through frontend software to a Squid instance that splits the HTTP Request pipeline differently. The resulting Response messages corrupt caches (between a client and Squid) with attacker-controlled content at arbitrary URLs. Effects are isolated to software between the attacker client and Squid. There are no effects on Squid itself, nor on any upstream servers. The issue is related to a request header containing whitespace between a header name and a colon.
Status
| Package | Ubuntu Release | Status |
|---|---|---|
| squid | ||
| 20.04 LTS focal |
Fixed 4.9-2ubuntu1
|
|
| 18.04 LTS bionic | Not in release | |
| 16.04 LTS xenial | Not in release | |
| 14.04 LTS trusty | Not in release | |
| squid3 | ||
| 20.04 LTS focal | Not in release | |
| 18.04 LTS bionic |
Fixed 3.5.27-1ubuntu1.4
|
|
| 16.04 LTS xenial |
Fixed 3.5.12-1ubuntu7.9
|
|
| 14.04 LTS trusty | Not in release |
Patch details
| Package | Patch details |
|---|---|
| squid |
Severity score breakdown
| Parameter | Value |
|---|---|
| Base score |
5.3 · Medium
|
| Attack vector | Network |
| Attack complexity | Low |
| Privileges required | None |
| User interaction | None |
| Scope | Unchanged |
| Confidentiality | None |
| Integrity impact | Low |
| Availability impact | None |
| Vector | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N |
References
Related Ubuntu Security Notices (USN)
- USN-4213-1
- Squid vulnerabilities
- 4 December 2019