This problem allows a trusted client to perform request smuggling and poison the HTTP cache contents with crafted HTTP(S) request messages. This attack requires an upstream server to participate in the smuggling and generate the poison response sequence. Most popular server software are not vulnerable to participation in this attack. Reference: https://github.com/squid-cache/squid/security/advisories/GHSA-qf3v-rc95-96j5
Created squid tracking bugs for this issue: Affects: fedora-all [bug 1852551]
Upstream patches: Squid 4: http://www.squid-cache.org/Versions/v4/changesets/squid-4-ea12a34d338b962707d5078d6d1fc7c6eb119a22.patch Squid 5: http://www.squid-cache.org/Versions/v5/changesets/squid-5-485c9a7bb1bba88754e07ad0094647ea57a6eb8d.patch
External References: https://github.com/squid-cache/squid/security/advisories/GHSA-qf3v-rc95-96j5
This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2020:4082 https://access.redhat.com/errata/RHSA-2020:4082
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2020-15049
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2020:4743 https://access.redhat.com/errata/RHSA-2020:4743
Statement: This issue has been rated as having moderate security impact, (despite of having a higher CVSS scoring) because the attack requires an upstream server to participate in the smuggling attack and generate the poison response sequence, which is really uncommon because most popular software are not vulnerable to participation in this attack. While the vulnerability does exists in squid, it is not easily exploitable and requires participation of other components on the network.