First published: Fri Mar 12 2021(Updated: )
An issue was discovered in Squid through 4.13 and 5.x through 5.0.4. Due to improper input validation, it allows a trusted client to perform HTTP Request Smuggling and access services otherwise forbidden by the security controls. This occurs for certain uri_whitespace configuration settings.
Credit: cve@mitre.org cve@mitre.org
Affected Software | Affected Version | How to fix |
---|---|---|
debian/squid | <=4.13-7<=4.6-1+deb10u4<=4.6-1<=4.13-5 | 4.13-8 4.6-1+deb10u5 |
Squid-Cache Squid | >=2.0<4.14 | |
Squid-Cache Squid | >=5.0.1<5.0.5 | |
Debian Debian Linux | =10.0 | |
Fedoraproject Fedora | =32 | |
Fedoraproject Fedora | =33 | |
Fedoraproject Fedora | =34 | |
NetApp Cloud Manager | ||
debian/squid | 4.6-1+deb10u7 4.6-1+deb10u10 4.13-10+deb11u2 4.13-10+deb11u3 5.7-2 5.7-2+deb12u1 6.6-1 6.9-1 | |
ubuntu/squid | <4.10-1ubuntu1.3 | 4.10-1ubuntu1.3 |
ubuntu/squid | <4.13-1ubuntu2.1 | 4.13-1ubuntu2.1 |
ubuntu/squid | <4.13-1ubuntu3 | 4.13-1ubuntu3 |
ubuntu/squid | <4.14 | 4.14 |
ubuntu/squid3 | <3.5.27-1ubuntu1.10 | 3.5.27-1ubuntu1.10 |
ubuntu/squid3 | <3.5.12-1ubuntu7.16 | 3.5.12-1ubuntu7.16 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
CVE-2020-25097 is an issue discovered in Squid that allows a trusted client to perform HTTP Request Smuggling and access forbidden services.
The severity of CVE-2020-25097 is high, with a severity value of 8.6.
The affected software for CVE-2020-25097 includes Squid versions 4.13 and 5.x through 5.0.4.
To fix CVE-2020-25097, update your Squid installation to version 4.6-1+deb10u7, 4.6-1+deb10u8, 4.13-10+deb11u2, 5.7-2, or 6.3-1, depending on your operating system.
More information about CVE-2020-25097 can be found on the MITRE website (https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-25097), the Squid security advisories page on GitHub (https://github.com/squid-cache/squid/security/advisories/GHSA-jvf6-h9gj-pmj6), and the Ubuntu security notices page (https://ubuntu.com/security/notices/USN-4895-1).