CVE-2019-18678

MEDIUM

Squid 3.0-4.8 - HTTP Request Smuggling via Header Whitespace

Title source: llm
STIX 2.1

Description

An issue was discovered in Squid 3.x and 4.x through 4.8. It allows attackers to smuggle HTTP requests through frontend software to a Squid instance that splits the HTTP Request pipeline differently. The resulting Response messages corrupt caches (between a client and Squid) with attacker-controlled content at arbitrary URLs. Effects are isolated to software between the attacker client and Squid. There are no effects on Squid itself, nor on any upstream servers. The issue is related to a request header containing whitespace between a header name and a colon.

References (11)

Core 11
Core References
Patch, Third Party Advisory x_refsource_misc
https://github.com/squid-cache/squid/pull/445
Issue Tracking, Third Party Advisory x_refsource_confirm
https://bugzilla.suse.com/show_bug.cgi?id=1156323
Third Party Advisory x_refsource_confirm
http://www.squid-cache.org/Advisories/SQUID-2019_10.txt
Third Party Advisory vendor-advisory x_refsource_ubuntu
https://usn.ubuntu.com/4213-1/
Third Party Advisory mailing-list x_refsource_mlist
https://lists.debian.org/debian-lts-announce/2019/12/msg00011.html
Third Party Advisory vendor-advisory x_refsource_gentoo
https://security.gentoo.org/glsa/202003-34
Third Party Advisory vendor-advisory x_refsource_debian
https://www.debian.org/security/2020/dsa-4682
Mailing List mailing-list x_refsource_mlist
https://lists.debian.org/debian-lts-announce/2020/07/msg00009.html

Scores

CVSS v3 5.3
EPSS 0.1093
EPSS Percentile 95.3%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

Details

CWE
CWE-444
Status published
Products (8)
canonical/ubuntu_linux 16.04
canonical/ubuntu_linux 18.04
canonical/ubuntu_linux 19.04
canonical/ubuntu_linux 19.10
debian/debian_linux 8.0
fedoraproject/fedora 30
fedoraproject/fedora 31
squid-cache/squid 3.0 - 3.5.28
Published Nov 26, 2019
Tracked Since Feb 18, 2026