QwikSec

Security Database

CVE

CWE

Training

CVE-2020-15049

Published: Jun 30, 2020

Modified: Aug 4, 2024

PUBLISHED

CVSS v3.1

9.9

CRITICAL

Description

An issue was discovered in http/ContentLengthInterpreter.cc in Squid before 4.12 and 5.x before 5.0.3. A Request Smuggling and Poisoning attack can succeed against the HTTP cache. The client sends an HTTP request with a Content-Length header containing "+\ "-" or an uncommon shell whitespace character prefix to the length field-value.

Vendor	Product	Versions
n/a	n/a	affected `n/a`

CVSS v3.1 Details

CVSS v3.1 Vector

CVSS:3.1/AC:L/AV:N/A:H/C:H/I:H/PR:L/S:C/UI:N

Attack Complexity

Low

Attack Vector

Network

Availability

High

Confidentiality

High

Integrity

High

Privileges Required

Low

Scope

Changed

User Interaction

None

References

http://www.squid-cache.org/Versions/v4/changesets/squid-4-ea12a34d338b962707d5078d6d1fc7c6eb119a22.patch

x_refsource_MISC

http://www.squid-cache.org/Versions/v5/changesets/squid-5-485c9a7bb1bba88754e07ad0094647ea57a6eb8d.patch

x_refsource_MISC

https://github.com/squid-cache/squid/security/advisories/GHSA-qf3v-rc95-96j5

x_refsource_CONFIRM

FEDORA-2020-cbebc5617e

vendor-advisory

x_refsource_FEDORA

vendor-advisory

x_refsource_DEBIAN

openSUSE-SU-2020:1346

vendor-advisory

x_refsource_SUSE

openSUSE-SU-2020:1369

vendor-advisory

x_refsource_SUSE

vendor-advisory

x_refsource_UBUNTU

[debian-lts-announce] 20201002 [SECURITY] [DLA 2394-1] squid3 security update

mailing-list

x_refsource_MLIST

https://security.netapp.com/advisory/ntap-20210312-0001/

x_refsource_CONFIRM

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.