CVE-2019-18677

Current Description

An issue was discovered in Squid 3.x and 4.x through 4.8 when the append_domain setting is used (because the appended characters do not properly interact with hostname length restrictions). Due to incorrect message processing, it can inappropriately redirect traffic to origins it should not be delivered to.

Basic Data

PublishedNovember 26, 2019
Last ModifiedJuly 11, 2020
Assignercve@mitre.org
Data TypeCVE
Data FormatMITRE
Data Version4.0
Problem TypeCWE-352
CVE Data Version4.0

Base Metric V2

CVSS 2 - Version2.0
CVSS 2 - Vector StringAV:N/AC:M/Au:N/C:P/I:P/A:N
CVSS 2 - Access VectorNETWORK
CVSS 2 - Access ComplexityMEDIUM
CVSS 2 - AuthenticationNONE
CVSS 2 - Confidentiality ImpactPARTIAL
CVSS 2 - Availability ImpactNONE
CVSS 2 - Base Score5.8
SeverityMEDIUM
Exploitability Score8.6
Impact Score4.9
Obtain All Privilegefalse
Obtain User Privilegefalse
Obtain Other Privilegefalse

Base Metric V3

No data provided.

Configurations

  • OR - Configuration 1
    Cpe VersionPartVendorProductVersionUpdateEditionLanguageSW EditionTarget SWTarget HWOtherVersion Start IncludingVersion End IncludingVersion Start ExcludingVersion End Excluding
    2.3ApplicationSquid-cacheSquid********2.02.7
    2.3ApplicationSquid-cacheSquid2.7stable2******
    2.3ApplicationSquid-cacheSquid2.7stable3******
    2.3ApplicationSquid-cacheSquid2.7stable4******
    2.3ApplicationSquid-cacheSquid2.7stable5******
    2.3ApplicationSquid-cacheSquid2.7stable6******
    2.3ApplicationSquid-cacheSquid2.7stable7******
    2.3ApplicationSquid-cacheSquid2.7stable8******
    2.3ApplicationSquid-cacheSquid2.7stable9******
    2.3ApplicationSquid-cacheSquid********3.03.5.28
    2.3ApplicationSquid-cacheSquid********4.04.8
  • OR - Configuration 2
    Cpe VersionPartVendorProductVersionUpdateEditionLanguageSW EditionTarget SWTarget HWOtherVersion Start IncludingVersion End IncludingVersion Start ExcludingVersion End Excluding
    2.3OSCanonicalUbuntu Linux16.04***lts***
    2.3OSCanonicalUbuntu Linux18.04***lts***
    2.3OSCanonicalUbuntu Linux19.04*******
    2.3OSCanonicalUbuntu Linux19.10*******
  • OR - Configuration 3
    Cpe VersionPartVendorProductVersionUpdateEditionLanguageSW EditionTarget SWTarget HWOtherVersion Start IncludingVersion End IncludingVersion Start ExcludingVersion End Excluding
    2.3OSFedoraprojectFedora30*******
    2.3OSFedoraprojectFedora31*******

Vulnerable Software List

VendorProductVersions
Canonical Ubuntu Linux 16.04, 18.04, 19.04, 19.10
Squid-cache Squid *, 2.7
Fedoraproject Fedora 30, 31

References

NameSourceURLTags
http://www.squid-cache.org/Advisories/SQUID-2019_9.txthttp://www.squid-cache.org/Advisories/SQUID-2019_9.txtCONFIRMThird Party Advisory
http://www.squid-cache.org/Versions/v3/3.5/changesets/squid-3.5-e5f1813a674848dde570f7920873e1071f96e0b4.patchhttp://www.squid-cache.org/Versions/v3/3.5/changesets/squid-3.5-e5f1813a674848dde570f7920873e1071f96CONFIRMRelease Notes
http://www.squid-cache.org/Versions/v4/changesets/squid-4-36492033ea4097821a4f7ff3ddcb971fbd1e8ba0.patchhttp://www.squid-cache.org/Versions/v4/changesets/squid-4-36492033ea4097821a4f7ff3ddcb971fbd1e8ba0.pCONFIRMRelease Notes
https://bugzilla.suse.com/show_bug.cgi?id=1156328https://bugzilla.suse.com/show_bug.cgi?id=1156328CONFIRMIssue Tracking Third Party Advisory
https://github.com/squid-cache/squid/pull/427https://github.com/squid-cache/squid/pull/427MISCPatch Third Party Advisory
[debian-lts-announce] 20191210 [SECURITY] [DLA 2028-1] squid3 security updatehttps://lists.debian.org/debian-lts-announce/2019/12/msg00011.htmlMLISTThird Party Advisory
[debian-lts-announce] 20200710 [SECURITY] [DLA 2278-1] squid3 security updatehttps://lists.debian.org/debian-lts-announce/2020/07/msg00009.htmlMLIST
FEDORA-2019-9538783033https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/MTM74FEDORAMailing List Third Party Advisory
FEDORA-2019-0b16cbdd0ehttps://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UEMOYFEDORAMailing List Third Party Advisory
USN-4213-1https://usn.ubuntu.com/4213-1/UBUNTUThird Party Advisory
DSA-4682https://www.debian.org/security/2020/dsa-4682DEBIAN