Risk | Medium |
Patch available | YES |
Number of vulnerabilities | 2 |
CVE-ID | CVE-2019-18860 CVE-2020-15049 |
CWE-ID | CWE-74 CWE-444 |
Exploitation vector | Network |
Public exploit | N/A |
Vulnerable software Subscribe |
Debian Linux Operating systems & Components / Operating system squid (Debian package) Operating systems & Components / Operating system package or component |
Vendor | Debian |
Security Bulletin
This security bulletin contains information about 2 vulnerabilities.
EUVDB-ID: #VU27677
Risk: Low
CVSSv3.1: 3.8 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2019-18860
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform cache poisoning attack.
The vulnerability exists due to improper input validation of HTML code within the hostname parameter in cachemgr.cgi. A remote attacker can send a specially crated HTTP request and poison the cache.
Update squid package to version 4.6-1+deb10u3.
Vulnerable software versionsDebian Linux: All versions
squid (Debian package): before 4.6-1+deb10u3
External linkshttp://www.debian.org/security/2020/dsa-4732
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
EUVDB-ID: #VU29391
Risk: Medium
CVSSv3.1: 4.3 [CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:L/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2020-15049
CWE-ID:
CWE-444 - Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling')
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform cache poisoning attack.
The vulnerability exists in the way Squid processes client's requests. A remote client can send specially crafted data in the request to perform request smuggling and poison the HTTP cache contents with crafted HTTP(S) request messages.
Successful exploitation of the vulnerability requires an upstream server to participate in the smuggling and generate the poison response sequence.
MitigationUpdate squid package to version 4.6-1+deb10u3.
Vulnerable software versionsDebian Linux: All versions
squid (Debian package): before 4.6-1+deb10u3
External linkshttp://www.debian.org/security/2020/dsa-4732
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.