Описание
An issue was discovered in Squid through 4.13 and 5.x through 5.0.4. Due to improper input validation, it allows a trusted client to perform HTTP Request Smuggling and access services otherwise forbidden by the security controls. This occurs for certain uri_whitespace configuration settings.
A flaw was found in squid. Due to improper validation while parsing the request URI, squid is vulnerable to HTTP request smuggling. This issue could allow a trusted client to perform an HTTP request smuggling attack and access services otherwise forbidden by squid. The highest threat from this vulnerability is to data confidentiality.
Отчет
This flaw is not tied to a specific proxy type (e.g., forward or reverse) and has been rated as having a security impact of Important. This flaw affects the versions of Squid as shipped with Red Hat Enterprise Linux 7 and 8, and is not currently planned to be addressed in future updates of Red Hat Enterprise Linux 6. Red Hat Enterprise Linux 6 is now in Extended Life Phase of the support and maintenance life cycle. For additional information, refer to the Red Hat Enterprise Linux Life Cycle: https://access.redhat.com/support/policy/updates/errata/.
Меры по смягчению последствий
This flaw can be mitigated by setting the uri_whitespace directive in squid.conf to either:
or
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| Red Hat Enterprise Linux 6 | squid | Out of support scope | ||
| Red Hat Enterprise Linux 6 | squid34 | Out of support scope | ||
| Red Hat Enterprise Linux 9 | squid | Not affected | ||
| Red Hat Enterprise Linux 7 | squid | Fixed | RHSA-2021:1135 | 08.04.2021 |
| Red Hat Enterprise Linux 8 | squid | Fixed | RHSA-2021:1979 | 18.05.2021 |
| Red Hat Enterprise Linux 8.1 Extended Update Support | squid | Fixed | RHSA-2021:2025 | 19.05.2021 |
| Red Hat Enterprise Linux 8.2 Extended Update Support | squid | Fixed | RHSA-2021:2025 | 19.05.2021 |
Показывать по
Дополнительная информация
Статус:
8.6 High
CVSS3
Связанные уязвимости
An issue was discovered in Squid through 4.13 and 5.x through 5.0.4. Due to improper input validation, it allows a trusted client to perform HTTP Request Smuggling and access services otherwise forbidden by the security controls. This occurs for certain uri_whitespace configuration settings.
An issue was discovered in Squid through 4.13 and 5.x through 5.0.4. Due to improper input validation, it allows a trusted client to perform HTTP Request Smuggling and access services otherwise forbidden by the security controls. This occurs for certain uri_whitespace configuration settings.
An issue was discovered in Squid through 4.13 and 5.x through 5.0.4. D ...
8.6 High
CVSS3