CVE-2020-15811: Input Validation
First published: Mon Aug 24 2020(Updated: )
An issue was discovered in Squid before 4.13 and 5.x before 5.0.4. Due to incorrect data validation, HTTP Request Splitting attacks may succeed against HTTP and HTTPS traffic. This leads to cache poisoning. This allows any client, including browser scripts, to bypass local security and poison the browser cache and any downstream caches with content from an arbitrary source. Squid uses a string search instead of parsing the Transfer-Encoding header to find chunked encoding. This allows an attacker to hide a second request inside Transfer-Encoding: it is interpreted by Squid as chunked and split out into a second request delivered upstream. Squid will then deliver two distinct responses to the client, corrupting any downstream caches.
Credit: cve@mitre.org cve@mitre.org cve@mitre.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| debian/squid | <=4.12-1<=4.6-1<=4.6-1+deb10u3 | 4.13-1 4.6-1+deb10u4 |
| debian/squid | 4.13-10+deb11u3 5.7-2+deb12u2 6.10-1 | |
| Squid Web Proxy Cache | <4.13 | |
| Squid Web Proxy Cache | >=5.0<5.0.4 | |
| Ubuntu Linux | =16.04 | |
| Ubuntu Linux | =18.04 | |
| Ubuntu Linux | =20.04 | |
| Debian Debian Linux | =9.0 | |
| Debian Debian Linux | =10.0 | |
| Fedoraproject Fedora | =31 | |
| Fedoraproject Fedora | =32 | |
| Fedoraproject Fedora | =33 | |
| openSUSE | =15.1 | |
| openSUSE | =15.2 | |
| IBM InfoSphere Guardium z/OS | <=10.5 | |
| IBM InfoSphere Guardium z/OS | <=10.6 | |
| IBM InfoSphere Guardium z/OS | <=11.0 | |
| IBM InfoSphere Guardium z/OS | <=11.1 | |
| IBM InfoSphere Guardium z/OS | <=11.2 | |
| IBM InfoSphere Guardium z/OS | <=11.3 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- http://lists.opensuse.org/opensuse-security-announce/2020-09/msg00012.html
- http://lists.opensuse.org/opensuse-security-announce/2020-09/msg00017.html
- https://github.com/squid-cache/squid/security/advisories/GHSA-c7p8-xqhm-49wv
- https://lists.debian.org/debian-lts-announce/2020/10/msg00005.html
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/BE6FKUN7IGTIR2MEEMWYDT7N5EJJLZI2/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/BMTFLVB7GLRF2CKGFPZ4G4R5DIIPHWI3/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/HJJDI7JQFGQLVNCKMVY64LAFMKERAOK7/
- https://security.netapp.com/advisory/ntap-20210219-0007/
- https://security.netapp.com/advisory/ntap-20210226-0006/
- https://security.netapp.com/advisory/ntap-20210226-0007/
- https://usn.ubuntu.com/4477-1/
- https://usn.ubuntu.com/4551-1/
- https://www.debian.org/security/2020/dsa-4751
- https://security-tracker.debian.org/tracker/CVE-2020-15811
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-15811
- http://www.squid-cache.org/Versions/v4/changesets/SQUID-2020_8.patch
- https://security-tracker.debian.org/tracker/CVE-2020-15810
- https://security-tracker.debian.org/tracker/CVE-2020-24606
- https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=968932
- https://launchpad.net/bugs/cve/CVE-2020-15811
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BE6FKUN7IGTIR2MEEMWYDT7N5EJJLZI2/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BMTFLVB7GLRF2CKGFPZ4G4R5DIIPHWI3/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HJJDI7JQFGQLVNCKMVY64LAFMKERAOK7/
- https://exchange.xforce.ibmcloud.com/vulnerabilities/187546
- https://www.ibm.com/support/pages/node/6455281 (Advisory)
- https://nvd.nist.gov/vuln/detail/CVE-2020-15811
- https://ubuntu.com/security/CVE-2020-15811
Frequently Asked Questions
What is the vulnerability ID of this issue?
The vulnerability ID of this issue is CVE-2020-15811.
What is the severity of CVE-2020-15811?
The severity of CVE-2020-15811 is medium.
What is the affected software?
The affected software is Squid-Cache Squid versions before 4.13 and 5.x before 5.0.4.
What is the impact of this vulnerability?
This vulnerability allows HTTP Request Splitting attacks to succeed against HTTP and HTTPS traffic, leading to cache poisoning.
How can I fix CVE-2020-15811?
To fix CVE-2020-15811, upgrade to Squid version 4.13 or 5.0.4 or later.
- collector/debian-bugs
- alias/CVE-2020-15811
- agent/type
- collector/launchpad-cve
- source/Launchpad
- agent/severity
- agent/weakness
- agent/author
- collector/mitre-cve
- source/MITRE
- agent/last-modified-date
- collector/security-tracker-debian
- source/Debian
- agent/software-canonical-lookup
- collector/usn-cve
- source/Ubuntu
- agent/references
- agent/remedy
- agent/description
- agent/first-publish-date
- agent/event
- agent/trending
- agent/source
- agent/tags
- collector/nvd-api
- source/NVD
- agent/software-canonical-lookup-request
- collector/nvd-cve
- collector/nvd-index
- collector/ibm-support
- source/IBM
- agent/softwarecombine
- package-manager/debian
- vendor/squid-cache
- canonical/squid web proxy cache
- version/squid web proxy cache/5.0
- vendor/canonical
- canonical/ubuntu linux
- version/ubuntu linux/16.04
- version/ubuntu linux/18.04
- version/ubuntu linux/20.04
- vendor/debian
- canonical/debian debian linux
- version/debian debian linux/9.0
- version/debian debian linux/10.0
- vendor/fedoraproject
- canonical/fedoraproject fedora
- version/fedoraproject fedora/31
- version/fedoraproject fedora/32
- version/fedoraproject fedora/33
- vendor/opensuse
- canonical/opensuse
- version/opensuse/15.1
- version/opensuse/15.2
- vendor/ibm
- canonical/ibm infosphere guardium z/os
- version/ibm infosphere guardium z/os/10.5
- version/ibm infosphere guardium z/os/10.6
- version/ibm infosphere guardium z/os/11.0
- version/ibm infosphere guardium z/os/11.1
- version/ibm infosphere guardium z/os/11.2
- version/ibm infosphere guardium z/os/11.3