CVE-2015-3455

Опубликовано: 01 мая 2015

Источник: redhat

CVSS2: 5.8

EPSS Низкий

Описание

Squid 3.2.x before 3.2.14, 3.3.x before 3.3.14, 3.4.x before 3.4.13, and 3.5.x before 3.5.4, when configured with client-first SSL-bump, do not properly validate the domain or hostname fields of X.509 certificates, which allows man-in-the-middle attackers to spoof SSL servers via a valid certificate.

It was found that Squid configured with client-first SSL-bump did not correctly validate X.509 server certificate host name fields. A man-in-the-middle attacker could use this flaw to spoof a Squid server using a specially crafted X.509 certificate.

Отчет

This issue did not affect the versions of squid as shipped with Red Hat Enterprise Linux 5 and 6.

Затронутые пакеты

Платформа	Пакет	Состояние	Рекомендация	Релиз
Red Hat Enterprise Linux 5	squid	Not affected
Red Hat Enterprise Linux 6	squid	Not affected
Red Hat Enterprise Linux 7	squid	Fixed	RHSA-2015:2378	19.11.2015

Показывать по

Ссылки на источники

Дополнительная информация

Статус:

Moderate

Дефект:

CWE-697->CWE-297

https://bugzilla.redhat.com/show_bug.cgi?id=1218118squid: incorrect X509 server certificate validation (SQUID-2015:1)

EPSS

Процентиль: 83%

0.02109

Низкий

5.8 Medium

CVSS2

Связанные уязвимости

CVE-2015-3455

ubuntu

больше 10 лет назад

CVE-2015-3455

nvd

больше 10 лет назад

CVE-2015-3455

debian

больше 10 лет назад

Squid 3.2.x before 3.2.14, 3.3.x before 3.3.14, 3.4.x before 3.4.13, a ...

GHSA-5r9c-4h43-4v5m

github

больше 3 лет назад

ELSA-2015-2378

oracle-oval

почти 10 лет назад

ELSA-2015-2378: squid security and bug fix update (MODERATE)

EPSS

Процентиль: 83%

0.02109

Низкий

5.8 Medium

CVSS2