CVE-2019-18677: CSRF
First published: Tue Nov 26 2019(Updated: )
An issue was discovered in Squid 3.x and 4.x through 4.8 when the append_domain setting is used (because the appended characters do not properly interact with hostname length restrictions). Due to incorrect message processing, it can inappropriately redirect traffic to origins it should not be delivered to.
Credit: cve@mitre.org cve@mitre.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Squid-Cache Squid | >=2.0<=2.7 | |
| Squid-Cache Squid | >=3.0<=3.5.28 | |
| Squid-Cache Squid | >=4.0<=4.8 | |
| Squid-Cache Squid | =2.7-stable2 | |
| Squid-Cache Squid | =2.7-stable3 | |
| Squid-Cache Squid | =2.7-stable4 | |
| Squid-Cache Squid | =2.7-stable5 | |
| Squid-Cache Squid | =2.7-stable6 | |
| Squid-Cache Squid | =2.7-stable7 | |
| Squid-Cache Squid | =2.7-stable8 | |
| Squid-Cache Squid | =2.7-stable9 | |
| Canonical Ubuntu Linux | =16.04 | |
| Canonical Ubuntu Linux | =18.04 | |
| Canonical Ubuntu Linux | =19.04 | |
| Canonical Ubuntu Linux | =19.10 | |
| Fedoraproject Fedora | =30 | |
| Fedoraproject Fedora | =31 | |
| ubuntu/squid | <4.4-1ubuntu2.3 | 4.4-1ubuntu2.3 |
| ubuntu/squid | <4.8-1ubuntu2.1 | 4.8-1ubuntu2.1 |
| ubuntu/squid | <4.9-2ubuntu1 | 4.9-2ubuntu1 |
| ubuntu/squid | <4.9-2ubuntu1 | 4.9-2ubuntu1 |
| ubuntu/squid | <4.9-2ubuntu1 | 4.9-2ubuntu1 |
| ubuntu/squid | <4.9-1 | 4.9-1 |
| ubuntu/squid3 | <3.5.27-1ubuntu1.4 | 3.5.27-1ubuntu1.4 |
| ubuntu/squid3 | <3.5.12-1ubuntu7.9 | 3.5.12-1ubuntu7.9 |
| debian/squid | 4.6-1+deb10u7 4.6-1+deb10u10 4.13-10+deb11u2 4.13-10+deb11u3 5.7-2 5.7-2+deb12u1 6.6-1 6.9-1 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- http://www.squid-cache.org/Advisories/SQUID-2019_9.txt
- http://www.squid-cache.org/Versions/v3/3.5/changesets/squid-3.5-e5f1813a674848dde570f7920873e1071f96e0b4.patch
- http://www.squid-cache.org/Versions/v4/changesets/squid-4-36492033ea4097821a4f7ff3ddcb971fbd1e8ba0.patch
- https://bugzilla.suse.com/show_bug.cgi?id=1156328
- https://github.com/squid-cache/squid/pull/427
- https://lists.debian.org/debian-lts-announce/2019/12/msg00011.html
- https://lists.debian.org/debian-lts-announce/2020/07/msg00009.html
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/MTM74TU2BSLT5B3H4F3UDW53672NVLMC/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UEMOYTMCCFWK5NOXSXEIH5D2VGWVXR67/
- https://usn.ubuntu.com/4213-1/
- https://www.debian.org/security/2020/dsa-4682
- https://launchpad.net/bugs/cve/CVE-2019-18677
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MTM74TU2BSLT5B3H4F3UDW53672NVLMC/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UEMOYTMCCFWK5NOXSXEIH5D2VGWVXR67/
- https://security-tracker.debian.org/tracker/CVE-2019-18677
- https://ubuntu.com/security/notices/USN-4213-1
- https://www.cve.org/CVERecord?id=CVE-2019-18677
- https://nvd.nist.gov/vuln/detail/CVE-2019-18677
- https://ubuntu.com/security/CVE-2019-18677
Frequently Asked Questions
What is the vulnerability ID?
The vulnerability ID is CVE-2019-18677.
What is the severity of CVE-2019-18677?
The severity of CVE-2019-18677 is medium.
What is the affected software?
The affected software is Squid 3.x and 4.x through 4.8.
How does the vulnerability CVE-2019-18677 impact the affected software?
The vulnerability CVE-2019-18677 can inappropriately redirect traffic to origins it should not be delivered to due to incorrect message processing.
Is there a fix available for CVE-2019-18677?
Yes, a fix is available for CVE-2019-18677. Users should update to version 4.9-2ubuntu1 or later for Ubuntu, or apply the appropriate patches for other affected systems.
- collector/nvd-index
- agent/type
- agent/last-modified-date
- agent/first-publish-date
- collector/launchpad-cve
- source/Launchpad
- agent/author
- collector/nvd-cve
- source/NVD
- agent/software-canonical-lookup
- agent/severity
- agent/remedy
- agent/references
- agent/weakness
- agent/tags
- agent/description
- agent/event
- collector/security-tracker-debian
- source/Debian
- agent/softwarecombine
- collector/usn-cve
- source/Ubuntu
- vendor/squid-cache
- canonical/squid-cache squid
- version/squid-cache squid/2.0
- version/squid-cache squid/2.7
- version/squid-cache squid/3.0
- version/squid-cache squid/3.5.28
- version/squid-cache squid/4.0
- version/squid-cache squid/4.8
- version/squid-cache squid/2.7-stable2
- version/squid-cache squid/2.7-stable3
- version/squid-cache squid/2.7-stable4
- version/squid-cache squid/2.7-stable5
- version/squid-cache squid/2.7-stable6
- version/squid-cache squid/2.7-stable7
- version/squid-cache squid/2.7-stable8
- version/squid-cache squid/2.7-stable9
- vendor/canonical
- canonical/canonical ubuntu linux
- version/canonical ubuntu linux/16.04
- version/canonical ubuntu linux/18.04
- version/canonical ubuntu linux/19.04
- version/canonical ubuntu linux/19.10
- vendor/fedoraproject
- canonical/fedoraproject fedora
- version/fedoraproject fedora/30
- version/fedoraproject fedora/31
- package-manager/debian
- package-manager/ubuntu