CVE-2019-18677
Published: 26 November 2019
An issue was discovered in Squid 3.x and 4.x through 4.8 when the append_domain setting is used (because the appended characters do not properly interact with hostname length restrictions). Due to incorrect message processing, it can inappropriately redirect traffic to origins it should not be delivered to.
Priority
Status
| Package | Release | Status |
|---|---|---|
|
squid Launchpad, Ubuntu, Debian |
bionic |
Does not exist
|
| disco |
Released
(4.4-1ubuntu2.3)
|
|
| eoan |
Released
(4.8-1ubuntu2.1)
|
|
| focal |
Released
(4.9-2ubuntu1)
|
|
| groovy |
Released
(4.9-2ubuntu1)
|
|
| hirsute |
Released
(4.9-2ubuntu1)
|
|
| trusty |
Does not exist
|
|
| upstream |
Released
(4.9-1)
|
|
| xenial |
Does not exist
|
|
|
Patches: upstream: http://www.squid-cache.org/Versions/v4/changesets/squid-4-36492033ea4097821a4f7ff3ddcb971fbd1e8ba0.patch |
||
|
squid3 Launchpad, Ubuntu, Debian |
bionic |
Released
(3.5.27-1ubuntu1.4)
|
| disco |
Does not exist
|
|
| eoan |
Does not exist
|
|
| focal |
Does not exist
|
|
| groovy |
Does not exist
|
|
| hirsute |
Does not exist
|
|
| trusty |
Does not exist
|
|
| upstream |
Needs triage
|
|
| xenial |
Released
(3.5.12-1ubuntu7.9)
|
|
|
Patches: upstream: http://www.squid-cache.org/Versions/v3/3.5/changesets/squid-3.5-e5f1813a674848dde570f7920873e1071f96e0b4.patch |
||
Severity score breakdown
| Parameter | Value |
|---|---|
| Base score | 6.1 |
| Attack vector | Network |
| Attack complexity | Low |
| Privileges required | None |
| User interaction | Required |
| Scope | Changed |
| Confidentiality | Low |
| Integrity impact | Low |
| Availability impact | None |
| Vector | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N |