Vulnerability Description
An issue was discovered in Squid 3.x and 4.x through 4.8 when the append_domain setting is used (because the appended characters do not properly interact with hostname length restrictions). Due to incorrect message processing, it can inappropriately redirect traffic to origins it should not be delivered to.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Squid-Cache | Squid | >= 2.0, <= 2.7 |
| Canonical | Ubuntu Linux | 16.04 |
| Fedoraproject | Fedora | 30 |
Related Weaknesses (CWE)
References
- http://www.squid-cache.org/Advisories/SQUID-2019_9.txtThird Party Advisory
- http://www.squid-cache.org/Versions/v3/3.5/changesets/squid-3.5-e5f1813a674848ddRelease Notes
- http://www.squid-cache.org/Versions/v4/changesets/squid-4-36492033ea4097821a4f7fRelease Notes
- https://bugzilla.suse.com/show_bug.cgi?id=1156328Issue TrackingThird Party Advisory
- https://github.com/squid-cache/squid/pull/427PatchThird Party Advisory
- https://lists.debian.org/debian-lts-announce/2019/12/msg00011.htmlThird Party Advisory
- https://lists.debian.org/debian-lts-announce/2020/07/msg00009.html
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro
- https://usn.ubuntu.com/4213-1/Third Party Advisory
- https://www.debian.org/security/2020/dsa-4682
- http://www.squid-cache.org/Advisories/SQUID-2019_9.txtThird Party Advisory
- http://www.squid-cache.org/Versions/v3/3.5/changesets/squid-3.5-e5f1813a674848ddRelease Notes
- http://www.squid-cache.org/Versions/v4/changesets/squid-4-36492033ea4097821a4f7fRelease Notes
- https://bugzilla.suse.com/show_bug.cgi?id=1156328Issue TrackingThird Party Advisory
FAQ
What is CVE-2019-18677?
CVE-2019-18677 is a vulnerability with a CVSS score of 6.1 (MEDIUM). An issue was discovered in Squid 3.x and 4.x through 4.8 when the append_domain setting is used (because the appended characters do not properly interact with hostname length restrictions). Due to inc...
How severe is CVE-2019-18677?
CVE-2019-18677 has been rated MEDIUM with a CVSS base score of 6.1/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2019-18677?
Check the references section above for vendor advisories and patch information. Affected products include: Squid-Cache Squid, Canonical Ubuntu Linux, Fedoraproject Fedora.