1. Home
  2. Vulnerabilities
  3. CVE-2020-15810

CVE-2020-15810

CVSS v3.1 6.5 (Medium)
65% Progress
CVSS v2.0 3.5 (Low)
35% Progress
EPSS 0.19 % (56th)
0.19% Progress
Affected Products 5
Advisories 19
Info CVSS EPSS CAPEC Affected Configurations References Security Advisories Packages & Software OVAL Tools, Exploits & PoC Graph Web & Social Timeline

An issue was discovered in Squid before 4.13 and 5.x before 5.0.4. Due to incorrect data validation, HTTP Request Smuggling attacks may succeed against HTTP and HTTPS traffic. This leads to cache poisoning. This allows any client, including browser scripts, to bypass local security and poison the proxy cache and any downstream caches with content from an arbitrary source. When configured for relaxed header parsing (the default), Squid relays headers containing whitespace characters to upstream servers. When this occurs as a prefix to a Content-Length header, the frame length specified will be ignored by Squid (allowing for a conflicting length to be used from another Content-Length header) but relayed upstream.

Weaknesses
CWE-444
Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')
CVE Status
PUBLISHED
CNA
MITRE
Published Date
2020-09-02 17:15:11
(4 years ago)
Updated Date
2023-11-07 03:17:55
(10 months ago)

Affected Products

Canonical

Debian

Fedoraproject

Opensuse

Squid-cache

Configuration #1

    CPE23 From Up To
  Squid-cache Squid prior 4.13 version cpe:2.3:a:squid-cache:squid < 4.13
  Squid-cache Squid from 5.0 version and prior 5.0.4 version cpe:2.3:a:squid-cache:squid >= 5.0 < 5.0.4

Configuration #2

    CPE23 From Up To
  Canonical Ubuntu Linux 16.04 cpe:2.3:o:canonical:ubuntu_linux:16.04:*:*:*:lts
  Canonical Ubuntu Linux 18.04 cpe:2.3:o:canonical:ubuntu_linux:18.04:*:*:*:lts
  Canonical Ubuntu Linux 20.04 cpe:2.3:o:canonical:ubuntu_linux:20.04:*:*:*:lts

Configuration #3

    CPE23 From Up To
  Debian Linux 9.0 cpe:2.3:o:debian:debian_linux:9.0
  Debian Linux 10.0 cpe:2.3:o:debian:debian_linux:10.0

Configuration #4

    CPE23 From Up To
  Fedoraproject Fedora 31 cpe:2.3:o:fedoraproject:fedora:31
  Fedoraproject Fedora 32 cpe:2.3:o:fedoraproject:fedora:32
  Fedoraproject Fedora 33 cpe:2.3:o:fedoraproject:fedora:33

Configuration #5

    CPE23 From Up To
  Opensuse Leap 15.1 cpe:2.3:o:opensuse:leap:15.1
  Opensuse Leap 15.2 cpe:2.3:o:opensuse:leap:15.2