Vulnerability CVE-2020-15049: Information

Description

An issue was discovered in http/ContentLengthInterpreter.cc in Squid before 4.12 and 5.x before 5.0.3. A Request Smuggling and Poisoning attack can succeed against the HTTP cache. The client sends an HTTP request with a Content-Length header containing "+\ "-" or an uncommon shell whitespace character prefix to the length field-value.

Severity: HIGH (8.8) Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

URL: https://nvd.nist.gov/vuln/detail/CVE-2020-15049
Published: June 30, 2020
Modified: Nov. 7, 2023
Error type identifier: CWE-444

Fixed packages

Package name
Branch
Fixed in version
Version from repository
Errata ID
Task #
State
squidsisyphus4.13-alt16.8-alt1ALT-PU-2020-3116-1260268Fixed
squidp104.13-alt16.6-alt1ALT-PU-2020-3116-1260268Fixed
squidp94.13-alt14.13-alt1ALT-PU-2020-3140-1260355Fixed
squidc10f14.13-alt16.6-alt1ALT-PU-2020-3116-1260268Fixed
squidc9f24.13-alt14.15-alt1ALT-PU-2020-3142-1260359Fixed

References to Advisories, Solutions, and Tools

Hyperlink
Resource
http://www.squid-cache.org/Versions/v4/changesets/squid-4-ea12a34d338b962707d5078d6d1fc7c6eb119a22.patch
  • Patch
  • Vendor Advisory
https://github.com/squid-cache/squid/security/advisories/GHSA-qf3v-rc95-96j5
  • Third Party Advisory
http://www.squid-cache.org/Versions/v5/changesets/squid-5-485c9a7bb1bba88754e07ad0094647ea57a6eb8d.patch
  • Patch
  • Vendor Advisory
DSA-4732
    openSUSE-SU-2020:1346
      openSUSE-SU-2020:1369
        USN-4551-1
          [debian-lts-announce] 20201002 [SECURITY] [DLA 2394-1] squid3 security update
            https://security.netapp.com/advisory/ntap-20210312-0001/
              FEDORA-2020-cbebc5617e

                  1. Configuration 1

                    cpe:2.3:a:squid-cache:squid:2.7:stable3:*:*:*:*:*:*
                    cpe:2.3:a:squid-cache:squid:2.7:stable4:*:*:*:*:*:*
                    cpe:2.3:a:squid-cache:squid:2.7:*:*:*:*:*:*:*
                    cpe:2.3:a:squid-cache:squid:2.7:stable2:*:*:*:*:*:*
                    cpe:2.3:a:squid-cache:squid:2.7:stable5:*:*:*:*:*:*
                    cpe:2.3:a:squid-cache:squid:2.7:stable6:*:*:*:*:*:*
                    cpe:2.3:a:squid-cache:squid:2.7:stable7:*:*:*:*:*:*
                    cpe:2.3:a:squid-cache:squid:2.7:stable8:*:*:*:*:*:*
                    cpe:2.3:a:squid-cache:squid:2.7:stable9:*:*:*:*:*:*
                    cpe:2.3:a:squid-cache:squid:*:*:*:*:*:*:*:*
                    Start including
                    4.0
                    End excliding
                    4.12
                    cpe:2.3:a:squid-cache:squid:*:*:*:*:*:*:*:*
                    Start including
                    3.1
                    End including
                    3.5.28
                    cpe:2.3:a:squid-cache:squid:*:*:*:*:*:*:*:*
                    Start including
                    2.0
                    End including
                    2.6
                    cpe:2.3:a:squid-cache:squid:*:*:*:*:*:*:*:*
                    Start including
                    5.0
                    End excliding
                    5.0.3

                    Configuration 2

                    cpe:2.3:o:fedoraproject:fedora:31:*:*:*:*:*:*:*
                VKontakte|Telegram|YouTube|Forum|GitHub|Bugzilla
                Version: v24.5.1
                Back to top