Bug 1852550 (CVE-2020-15049) - CVE-2020-15049 squid: Request smuggling and poisoning attack against the HTTP cache
Summary: CVE-2020-15049 squid: Request smuggling and poisoning attack against the HTTP...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2020-15049
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1852551 1853129 1853130
Blocks: 1852556
TreeView+ depends on / blocked
 
Reported: 2020-06-30 16:57 UTC by Guilherme de Almeida Suckevicz
Modified: 2020-11-04 03:32 UTC (History)
8 users (show)

Fixed In Version: squid 4.12, squid 5.0.3
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2020-09-30 09:57:24 UTC


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2020:4082 None None None 2020-09-30 07:01:05 UTC
Red Hat Product Errata RHSA-2020:4743 None None None 2020-11-04 03:32:10 UTC

Description Guilherme de Almeida Suckevicz 2020-06-30 16:57:52 UTC
This problem allows a trusted client to perform request smuggling and poison the HTTP cache contents with crafted HTTP(S) request messages. This attack requires an upstream server to participate in the smuggling and generate the poison response sequence. Most popular server software are not vulnerable to participation in this attack.

Reference:
https://github.com/squid-cache/squid/security/advisories/GHSA-qf3v-rc95-96j5

Comment 1 Guilherme de Almeida Suckevicz 2020-06-30 16:58:07 UTC
Created squid tracking bugs for this issue:

Affects: fedora-all [bug 1852551]

Comment 3 Huzaifa S. Sidhpurwala 2020-07-02 04:06:40 UTC
External References:

https://github.com/squid-cache/squid/security/advisories/GHSA-qf3v-rc95-96j5

Comment 5 Huzaifa S. Sidhpurwala 2020-07-02 04:07:48 UTC
Mitigation:

This problem allows a trusted client to perform request smuggling and poison the HTTP cache contents with crafted HTTP(S) request messages.
This attack requires an upstream server to participate in the smuggling and generate the poison response sequence. Most popular server software are not vulnerable to participation in this attack.

Comment 6 Huzaifa S. Sidhpurwala 2020-07-02 04:12:25 UTC
Statement:

This issue has been rated as having moderate security impact, (despite of having a higher CVSS scoring) because the attack requires an upstream server to participate in the smuggling attack and generate the poison response sequence, which is really uncommon because most popular software are not vulnerable to participation in this attack. So, while the vulnerability does exists in squid, it is not easily exploitable and requires participation of other components on the network.

Comment 13 errata-xmlrpc 2020-09-30 07:01:03 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2020:4082 https://access.redhat.com/errata/RHSA-2020:4082

Comment 14 Product Security DevOps Team 2020-09-30 09:57:24 UTC
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2020-15049

Comment 15 errata-xmlrpc 2020-11-04 03:32:08 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2020:4743 https://access.redhat.com/errata/RHSA-2020:4743


Note You need to log in before you can comment on or make changes to this bug.