CVE-2020-25097

CVSS v3.1 8.6 (High)

CVSS v2.0 5 (Medium)

EPSS 0.30 % (70^th)

Affected Products 4

Advisories 19

An issue was discovered in Squid through 4.13 and 5.x through 5.0.4. Due to improper input validation, it allows a trusted client to perform HTTP Request Smuggling and access services otherwise forbidden by the security controls. This occurs for certain uri_whitespace configuration settings.

Weaknesses

CWE-20: Improper Input Validation
CWE-444: Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')

CVE Status: PUBLISHED
CNA: MITRE
Published Date: 2021-03-19 05:15:12
(3 years ago)
Updated Date: 2023-11-07 03:20:12
(10 months ago)

Affected Products

Configuration #1

		CPE23	From	Up To
	Squid-cache Squid from 2.0 version and prior 4.14 version	cpe:2.3:a:squid-cache:squid	>= 2.0	< 4.14
	Squid-cache Squid from 5.0.1 version and prior 5.0.5 version	cpe:2.3:a:squid-cache:squid	>= 5.0.1	< 5.0.5

Configuration #2

		CPE23	From	Up To
	Debian Linux 10.0	cpe:2.3:o:debian:debian_linux:10.0

Configuration #3

		CPE23	From	Up To
	Fedoraproject Fedora 32	cpe:2.3:o:fedoraproject:fedora:32
	Fedoraproject Fedora 33	cpe:2.3:o:fedoraproject:fedora:33
	Fedoraproject Fedora 34	cpe:2.3:o:fedoraproject:fedora:34

Configuration #4

		CPE23	From	Up To
	Netapp Cloud Manager	cpe:2.3:a:netapp:cloud_manager:-

Weaknesses

Affected Products

Debian

Fedoraproject

Netapp

Squid-cache

Configuration #1

Configuration #2

Configuration #3

Configuration #4