CVE-2016-10002 – squid: Information disclosure in HTTP request processing

https://notcve.org/view.php?id=CVE-2016-10002

Incorrect processing of responses to If-None-Modified HTTP conditional requests in Squid HTTP Proxy 3.1.10 through 3.1.23, 3.2.0.3 through 3.5.22, and 4.0.1 through 4.0.16 leads to client-specific Cookie data being leaked to other clients. Attack requests can easily be crafted by a client to probe a cache for this information. Procesamiento incorrecto de respuestas a peticiones condicionales If-None-Modified HTTP en Squid HTTP Proxy 3.1.10 hasta la versión 3.1.23, 3.2.0.3 hasta la versión 3.5.22 y 4.0.1 hasta la versión 4.0.16 conduce a que datos Cookie de un cliente específico sean filtrados a otros clientes. Peticiones de ataque pueden ser fácilmente manipuladas por un cliente para probar una memoria caché para esta información. It was found that squid did not properly remove connection specific headers when answering conditional requests using a cached request. • http://rhn.redhat.com/errata/RHSA-2017-0182.html http://rhn.redhat.com/errata/RHSA-2017-0183.html http://www.debian.org/security/2016/dsa-3745 http://www.openwall.com/lists/oss-security/2016/12/18/1 http://www.securityfocus.com/bid/94953 http://www.securitytracker.com/id/1037513 http://www.squid-cache.org/Advisories/SQUID-2016_11.txt https://access.redhat.com/security/cve/CVE-2016-10002 https://bugzilla.redhat.com/show_bug.cgi?id=1405941 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •