CVE-2020-15049

CVSS v3.1 8.8 (High)

CVSS v2.0 6.5 (Medium)

EPSS 1.02 % (84^th)

Affected Products 2

Advisories 16

An issue was discovered in http/ContentLengthInterpreter.cc in Squid before 4.12 and 5.x before 5.0.3. A Request Smuggling and Poisoning attack can succeed against the HTTP cache. The client sends an HTTP request with a Content-Length header containing "+\ "-" or an uncommon shell whitespace character prefix to the length field-value.

Weaknesses

CWE-444: Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')

CVE Status: PUBLISHED
CNA: MITRE
Published Date: 2020-06-30 18:15:12
(4 years ago)
Updated Date: 2023-11-07 03:17:23
(10 months ago)

Affected Products

Fedoraproject

Fedora

Squid-cache

Squid

Configuration #1

	CPE23	From	Up To
Squid-cache Squid from 2.0 version and 2.6 and prior versions	cpe:2.3:a:squid-cache:squid	>= 2.0	<= 2.6
Squid-cache Squid from 3.1 version and 3.5.28 and prior versions	cpe:2.3:a:squid-cache:squid	>= 3.1	<= 3.5.28
Squid-cache Squid from 4.0 version and prior 4.12 version	cpe:2.3:a:squid-cache:squid	>= 4.0	< 4.12
Squid-cache Squid from 5.0 version and prior 5.0.3 version	cpe:2.3:a:squid-cache:squid	>= 5.0	< 5.0.3
Squid-cache Squid 2.7	cpe:2.3:a:squid-cache:squid:2.7
Squid-cache Squid 2.7 Stable2	cpe:2.3:a:squid-cache:squid:2.7:stable2
Squid-cache Squid 2.7 Stable3	cpe:2.3:a:squid-cache:squid:2.7:stable3
Squid-cache Squid 2.7 Stable4	cpe:2.3:a:squid-cache:squid:2.7:stable4
Squid-cache Squid 2.7 Stable5	cpe:2.3:a:squid-cache:squid:2.7:stable5
Squid-cache Squid 2.7 Stable6	cpe:2.3:a:squid-cache:squid:2.7:stable6
Squid-cache Squid 2.7 Stable7	cpe:2.3:a:squid-cache:squid:2.7:stable7
Squid-cache Squid 2.7 Stable8	cpe:2.3:a:squid-cache:squid:2.7:stable8
Squid-cache Squid 2.7 Stable9	cpe:2.3:a:squid-cache:squid:2.7:stable9

Configuration #2

		CPE23	From	Up To
	Fedoraproject Fedora 31	cpe:2.3:o:fedoraproject:fedora:31