Main Vulnerability Database Vulnerabilities #VU29391

#VU29391 Inconsistent interpretation of HTTP requests in Squid - CVE-2020-15049

Published: June 30, 2020

Vulnerability identifier: #VU29391

Vulnerability risk: Medium

CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N/E:U/U:Green

CVE-ID: CVE-2020-15049

CWE-ID: CWE-444

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vulnerable software:
Squid

Software vendor:
Squid-cache.org

Description

The vulnerability allows a remote attacker to perform cache poisoning attack.

The vulnerability exists in the way Squid processes client's requests. A remote client can send specially crafted data in the request to perform request smuggling and poison the HTTP cache contents with crafted HTTP(S) request messages.

Successful exploitation of the vulnerability requires an upstream server to participate in the smuggling and generate the poison response sequence.

Remediation

Install updates from vendor's website.

External links

https://github.com/squid-cache/squid/security/advisories/GHSA-qf3v-rc95-96j5

#VU29391 Inconsistent interpretation of HTTP requests in Squid - CVE-2020-15049

Description

Remediation

External links

Please verify you're human