CVE-2020-15810

squid: HTTP Request Smuggling could result in cache poisoning

Severity Score

6.5

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

An issue was discovered in Squid before 4.13 and 5.x before 5.0.4. Due to incorrect data validation, HTTP Request Smuggling attacks may succeed against HTTP and HTTPS traffic. This leads to cache poisoning. This allows any client, including browser scripts, to bypass local security and poison the proxy cache and any downstream caches with content from an arbitrary source. When configured for relaxed header parsing (the default), Squid relays headers containing whitespace characters to upstream servers. When this occurs as a prefix to a Content-Length header, the frame length specified will be ignored by Squid (allowing for a conflicting length to be used from another Content-Length header) but relayed upstream.

Se detectó un problema en Squid versiones anteriores a 4.13 y versiones 5.x anteriores a 5.0.4. Debido a una comprobación de datos incorrecta, los ataques de Contrabando de Peticiones HTTP pueden tener éxito contra el tráfico HTTP y HTTPS. Esto conlleva a un envenenamiento de la caché. Esto permite a cualquier cliente, incluyendo los scripts del navegador, omitir la seguridad local y envenenar el caché del proxy y cualquier caché aguas abajo con contenido de una fuente arbitraria. Cuando es configurado para un análisis de encabezado relajado (el valor predeterminado), Squid transmite encabezados que contienen caracteres de espacio en blanco hacia los servidores aguas arriba. Cuando esto ocurre como un prefijo en un encabezado Content-Length, Squid ignorará la longitud de trama especificada (permitiendo usar una longitud conflictiva desde otro encabezado Content-Length) pero se retransmitirá aguas arriba

A flaw was found in squid. Due to incorrect data validation, a HTTP Request Smuggling attack against HTTP and HTTPS traffic is possible leading to cache poisoning. The highest threat from this vulnerability is to data confidentiality and integrity.

*Credits: N/A

CVSS Scores

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

High

Availability

None

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Changed

Confidentiality

High

Integrity

High

Availability

None

Attack Vector

Network

Attack Complexity

Medium

Authentication

Single

Confidentiality

None

Integrity

Partial

Availability

None

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2020-07-17 CVE Reserved
2020-08-27 CVE Published
2023-03-07 EPSS Updated
2024-08-04 CVE Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CWE-444: Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')

CAPEC

References (15)

URL	Tag	Source
https://github.com/squid-cache/squid/security/advisories/GHSA-3365-q9qx-f98m	Mitigation
https://lists.debian.org/debian-lts-announce/2020/10/msg00005.html	Mailing List
https://security.netapp.com/advisory/ntap-20210219-0007	Third Party Advisory
https://security.netapp.com/advisory/ntap-20210226-0006	Third Party Advisory
https://security.netapp.com/advisory/ntap-20210226-0007	Broken Link

URL	Date	SRC

URL	Date	SRC

URL	Date	SRC
http://lists.opensuse.org/opensuse-security-announce/2020-09/msg00012.html	2023-11-07
http://lists.opensuse.org/opensuse-security-announce/2020-09/msg00017.html	2023-11-07
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BE6FKUN7IGTIR2MEEMWYDT7N5EJJLZI2	2023-11-07
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BMTFLVB7GLRF2CKGFPZ4G4R5DIIPHWI3	2023-11-07
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HJJDI7JQFGQLVNCKMVY64LAFMKERAOK7	2023-11-07
https://usn.ubuntu.com/4477-1	2023-11-07
https://usn.ubuntu.com/4551-1	2023-11-07
https://www.debian.org/security/2020/dsa-4751	2023-11-07
https://access.redhat.com/security/cve/CVE-2020-15810	2020-09-30
https://bugzilla.redhat.com/show_bug.cgi?id=1871700	2020-09-30

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Squid-cache Search vendor "Squid-cache"		Squid Search vendor "Squid-cache" for product "Squid"				< 4.13 Search vendor "Squid-cache" for product "Squid" and version " < 4.13"		-		Affected
Squid-cache Search vendor "Squid-cache"		Squid Search vendor "Squid-cache" for product "Squid"				>= 5.0 < 5.0.4 Search vendor "Squid-cache" for product "Squid" and version " >= 5.0 < 5.0.4"		-		Affected
Canonical Search vendor "Canonical"		Ubuntu Linux Search vendor "Canonical" for product "Ubuntu Linux"				16.04 Search vendor "Canonical" for product "Ubuntu Linux" and version "16.04"		lts		Affected
Canonical Search vendor "Canonical"		Ubuntu Linux Search vendor "Canonical" for product "Ubuntu Linux"				18.04 Search vendor "Canonical" for product "Ubuntu Linux" and version "18.04"		lts		Affected
Canonical Search vendor "Canonical"		Ubuntu Linux Search vendor "Canonical" for product "Ubuntu Linux"				20.04 Search vendor "Canonical" for product "Ubuntu Linux" and version "20.04"		lts		Affected
Debian Search vendor "Debian"		Debian Linux Search vendor "Debian" for product "Debian Linux"				9.0 Search vendor "Debian" for product "Debian Linux" and version "9.0"		-		Affected
Debian Search vendor "Debian"		Debian Linux Search vendor "Debian" for product "Debian Linux"				10.0 Search vendor "Debian" for product "Debian Linux" and version "10.0"		-		Affected
Fedoraproject Search vendor "Fedoraproject"		Fedora Search vendor "Fedoraproject" for product "Fedora"				31 Search vendor "Fedoraproject" for product "Fedora" and version "31"		-		Affected
Fedoraproject Search vendor "Fedoraproject"		Fedora Search vendor "Fedoraproject" for product "Fedora"				32 Search vendor "Fedoraproject" for product "Fedora" and version "32"		-		Affected
Fedoraproject Search vendor "Fedoraproject"		Fedora Search vendor "Fedoraproject" for product "Fedora"				33 Search vendor "Fedoraproject" for product "Fedora" and version "33"		-		Affected
Opensuse Search vendor "Opensuse"		Leap Search vendor "Opensuse" for product "Leap"				15.1 Search vendor "Opensuse" for product "Leap" and version "15.1"		-		Affected
Opensuse Search vendor "Opensuse"		Leap Search vendor "Opensuse" for product "Leap"				15.2 Search vendor "Opensuse" for product "Leap" and version "15.2"		-		Affected