CVE-2020-25097 — HIGH (8.6)

Q: How severe is CVE-2020-25097?

CVE-2020-25097 has been rated HIGH with a CVSS base score of 8.6/10. Review the CVSS metrics above for detailed severity breakdown.

Q: Is there a patch for CVE-2020-25097?

Check the references section above for vendor advisories and patch information. Affected products include: Squid-Cache Squid, Debian Debian Linux, Fedoraproject Fedora, Netapp Cloud Manager.

Vulnerability Description

An issue was discovered in Squid through 4.13 and 5.x through 5.0.4. Due to improper input validation, it allows a trusted client to perform HTTP Request Smuggling and access services otherwise forbidden by the security controls. This occurs for certain uri_whitespace configuration settings.

CVSS Score

8.6

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

CHANGED

Confidentiality

HIGH

Integrity

NONE

Availability

NONE

Affected Products

Vendor	Product	Versions
Squid-Cache	Squid	>= 2.0, < 4.14
Debian	Debian Linux	10.0
Fedoraproject	Fedora	32
Netapp	Cloud Manager	-

Related Weaknesses (CWE)

CWE-20 CWE-444

References

http://www.squid-cache.org/Versions/v4/changesets/SQUID-2020_11.patchMailing ListPatchVendor Advisory
http://www.squid-cache.org/Versions/v5/changesets/SQUID-2020_11.patchMailing ListPatchVendor Advisory
https://github.com/squid-cache/squid/security/advisories/GHSA-jvf6-h9gj-pmj6PatchThird Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro
https://security.gentoo.org/glsa/202105-14Third Party Advisory
https://security.netapp.com/advisory/ntap-20210727-0010/Third Party Advisory
https://www.debian.org/security/2021/dsa-4873Third Party Advisory
http://www.squid-cache.org/Versions/v4/changesets/SQUID-2020_11.patchMailing ListPatchVendor Advisory
http://www.squid-cache.org/Versions/v5/changesets/SQUID-2020_11.patchMailing ListPatchVendor Advisory
https://github.com/squid-cache/squid/security/advisories/GHSA-jvf6-h9gj-pmj6PatchThird Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro

FAQ

What is CVE-2020-25097?

CVE-2020-25097 is a vulnerability with a CVSS score of 8.6 (HIGH). An issue was discovered in Squid through 4.13 and 5.x through 5.0.4. Due to improper input validation, it allows a trusted client to perform HTTP Request Smuggling and access services otherwise forbid...

How severe is CVE-2020-25097?

CVE-2020-25097 has been rated HIGH with a CVSS base score of 8.6/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2020-25097?

Check the references section above for vendor advisories and patch information. Affected products include: Squid-Cache Squid, Debian Debian Linux, Fedoraproject Fedora, Netapp Cloud Manager.