Web Servers : Squid 3.5.18 - 3.5.28 / 4.0.10 - 4.7 Multiple Vulnerabilities (SQUID-2019:4)

Anfälligkeitssuche		Suche in 324607 CVE Beschreibungen und 145615 Test Beschreibungen, Zugriff auf 10,000+ Quellverweise.
	Tests CVE Alle

Test Kennung: 1.3.6.1.4.1.25623.1.0.143765

Kategorie: Web Servers

Titel: Squid 3.5.18 - 3.5.28 / 4.0.10 - 4.7 Multiple Vulnerabilities (SQUID-2019:4)

Zusammenfassung: Squid is prone to multiple vulnerabilities.

Beschreibung: Summary:
Squid is prone to multiple vulnerabilities.

Vulnerability Insight:
Due to incorrect URL handling Squid is vulnerable to access
control bypass, cache poisoning and cross-site scripting attacks when processing HTTP Request
messages.

Vulnerability Impact:
A remote client can:

- deliver crafted URLs to bypass cache manager security controls and retrieve confidential details
about the proxy and traffic it is handling.

- deliver crafted URLs which cause arbitrary content from one origin server to be stored in cache
as URLs within another origin. This opens a window of opportunity for clients to be tricked into
fetching and XSS execution of that content via side channels.

Affected Software/OS:
Squid proxy 3.5.18 through 3.5.28 and 4.0.10 through 4.7.

Note: All Squid-4.x up to and including 4.7 without HTTPS support are NOT vulnerable.

Solution:
Update to version 4.8 or later.

CVSS Score:
7.5

CVSS Vector:
AV:N/AC:L/Au:N/C:P/I:P/A:P

Querverweis: Common Vulnerability Exposure (CVE) ID: CVE-2019-12520
Debian Security Information: DSA-4682 (Google Search)
https://www.debian.org/security/2020/dsa-4682
http://www.squid-cache.org/Versions/v4/
http://www.squid-cache.org/Versions/v4/changesets/
https://github.com/squid-cache/squid/commits/v4
https://gitlab.com/jeriko.one/security/-/blob/master/squid/CVEs/CVE-2019-12520.txt
https://lists.debian.org/debian-lts-announce/2020/07/msg00009.html
https://usn.ubuntu.com/4446-1/
Common Vulnerability Exposure (CVE) ID: CVE-2019-12524
https://gitlab.com/jeriko.one/security/-/blob/master/squid/CVEs/CVE-2019-12524.txt

Copyright Copyright (C) 2020 Greenbone Networks GmbH

Dies ist nur einer von 145615 Anfälligkeitstests in unserem Testpaket. Finden Sie mehr über unsere vollständigen Sicherheitsüberprüfungen heraus.
Um einen gratis Test für diese Anfälligkeit auf Ihrem System durchlaufen zu lassen, registrieren Sie sich bitte unten.

Test Kennung:	1.3.6.1.4.1.25623.1.0.143765
Kategorie:	Web Servers
Titel:	Squid 3.5.18 - 3.5.28 / 4.0.10 - 4.7 Multiple Vulnerabilities (SQUID-2019:4)
Zusammenfassung:	Squid is prone to multiple vulnerabilities.
Beschreibung:	Summary: Squid is prone to multiple vulnerabilities. Vulnerability Insight: Due to incorrect URL handling Squid is vulnerable to access control bypass, cache poisoning and cross-site scripting attacks when processing HTTP Request messages. Vulnerability Impact: A remote client can: - deliver crafted URLs to bypass cache manager security controls and retrieve confidential details about the proxy and traffic it is handling. - deliver crafted URLs which cause arbitrary content from one origin server to be stored in cache as URLs within another origin. This opens a window of opportunity for clients to be tricked into fetching and XSS execution of that content via side channels. Affected Software/OS: Squid proxy 3.5.18 through 3.5.28 and 4.0.10 through 4.7. Note: All Squid-4.x up to and including 4.7 without HTTPS support are NOT vulnerable. Solution: Update to version 4.8 or later. CVSS Score: 7.5 CVSS Vector: AV:N/AC:L/Au:N/C:P/I:P/A:P
Querverweis:	Common Vulnerability Exposure (CVE) ID: CVE-2019-12520 Debian Security Information: DSA-4682 (Google Search) https://www.debian.org/security/2020/dsa-4682 http://www.squid-cache.org/Versions/v4/ http://www.squid-cache.org/Versions/v4/changesets/ https://github.com/squid-cache/squid/commits/v4 https://gitlab.com/jeriko.one/security/-/blob/master/squid/CVEs/CVE-2019-12520.txt https://lists.debian.org/debian-lts-announce/2020/07/msg00009.html https://usn.ubuntu.com/4446-1/ Common Vulnerability Exposure (CVE) ID: CVE-2019-12524 https://gitlab.com/jeriko.one/security/-/blob/master/squid/CVEs/CVE-2019-12524.txt
Copyright	Copyright (C) 2020 Greenbone Networks GmbH