CVE-2019-18677

MEDIUM

Squid 2.0-2.7 and 3.x-4.8 - Cross-Site Request Forgery via append_domain Setting

Title source: llm
STIX 2.1

Description

An issue was discovered in Squid 3.x and 4.x through 4.8 when the append_domain setting is used (because the appended characters do not properly interact with hostname length restrictions). Due to incorrect message processing, it can inappropriately redirect traffic to origins it should not be delivered to.

References (11)

Core 11
Core References
Patch, Third Party Advisory x_refsource_misc
https://github.com/squid-cache/squid/pull/427
Issue Tracking, Third Party Advisory x_refsource_confirm
https://bugzilla.suse.com/show_bug.cgi?id=1156328
Third Party Advisory x_refsource_confirm
http://www.squid-cache.org/Advisories/SQUID-2019_9.txt
Third Party Advisory vendor-advisory x_refsource_ubuntu
https://usn.ubuntu.com/4213-1/
Third Party Advisory mailing-list x_refsource_mlist
https://lists.debian.org/debian-lts-announce/2019/12/msg00011.html
Third Party Advisory vendor-advisory x_refsource_debian
https://www.debian.org/security/2020/dsa-4682
Mailing List mailing-list x_refsource_mlist
https://lists.debian.org/debian-lts-announce/2020/07/msg00009.html

Scores

CVSS v3 6.1
EPSS 0.0421
EPSS Percentile 88.9%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Details

CWE
CWE-352
Status published
Products (8)
canonical/ubuntu_linux 16.04
canonical/ubuntu_linux 18.04
canonical/ubuntu_linux 19.04
canonical/ubuntu_linux 19.10
fedoraproject/fedora 30
fedoraproject/fedora 31
squid-cache/squid 2.7 stable2 (8 CPE variants)
squid-cache/squid 2.0 - 2.7
Published Nov 26, 2019
Tracked Since Feb 18, 2026