Main Vulnerability Database Vulnerabilities #VU22587

Inconsistent interpretation of HTTP requests in Squid - CVE-2019-18678

Published: November 7, 2019

Vulnerability identifier: #VU22587

CSH Severity: Medium

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green

CVE-ID: CVE-2019-18678

CWE-ID: CWE-444

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vendor: Squid-cache.org

Affected software:
Squid

Detailed vulnerability description

The vulnerability allows a remote attacker to perform HTTP request smuggling attack.

The vulnerability exists due to insufficient validation of HTTP request headers in Squid. A remote attacker can initiate a specially crafted HTTP request that will cause the software to split HTTP request and display to the end user content, controlled by the attacker at arbitrary URL.

How to mitigate CVE-2019-18678

Install updates from vendor's website.

Sources

http://www.squid-cache.org/Advisories/SQUID-2019_10.txt

Inconsistent interpretation of HTTP requests in Squid - CVE-2019-18678

Detailed vulnerability description

How to mitigate CVE-2019-18678

Sources

Please verify you're human