CVE-2019-18677
Vulnerability from cvelistv5
Published
2019-11-26 16:21
Modified
2024-08-05 01:54
Severity ?
Summary
An issue was discovered in Squid 3.x and 4.x through 4.8 when the append_domain setting is used (because the appended characters do not properly interact with hostname length restrictions). Due to incorrect message processing, it can inappropriately redirect traffic to origins it should not be delivered to.
References
cve@mitre.orghttp://www.squid-cache.org/Advisories/SQUID-2019_9.txtThird Party Advisory
cve@mitre.orghttp://www.squid-cache.org/Versions/v3/3.5/changesets/squid-3.5-e5f1813a674848dde570f7920873e1071f96e0b4.patchRelease Notes
cve@mitre.orghttp://www.squid-cache.org/Versions/v4/changesets/squid-4-36492033ea4097821a4f7ff3ddcb971fbd1e8ba0.patchRelease Notes
cve@mitre.orghttps://bugzilla.suse.com/show_bug.cgi?id=1156328Issue Tracking, Third Party Advisory
cve@mitre.orghttps://github.com/squid-cache/squid/pull/427Patch, Third Party Advisory
cve@mitre.orghttps://lists.debian.org/debian-lts-announce/2019/12/msg00011.htmlThird Party Advisory
cve@mitre.orghttps://lists.debian.org/debian-lts-announce/2020/07/msg00009.html
cve@mitre.orghttps://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MTM74TU2BSLT5B3H4F3UDW53672NVLMC/
cve@mitre.orghttps://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UEMOYTMCCFWK5NOXSXEIH5D2VGWVXR67/
cve@mitre.orghttps://usn.ubuntu.com/4213-1/Third Party Advisory
cve@mitre.orghttps://www.debian.org/security/2020/dsa-4682
Impacted products
n/an/a
Show details on NVD website

To clipboard 

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-05T01:54:14.540Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://github.com/squid-cache/squid/pull/427"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://bugzilla.suse.com/show_bug.cgi?id=1156328"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "http://www.squid-cache.org/Advisories/SQUID-2019_9.txt"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "http://www.squid-cache.org/Versions/v4/changesets/squid-4-36492033ea4097821a4f7ff3ddcb971fbd1e8ba0.patch"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "http://www.squid-cache.org/Versions/v3/3.5/changesets/squid-3.5-e5f1813a674848dde570f7920873e1071f96e0b4.patch"
          },
          {
            "name": "USN-4213-1",
            "tags": [
              "vendor-advisory",
              "x_refsource_UBUNTU",
              "x_transferred"
            ],
            "url": "https://usn.ubuntu.com/4213-1/"
          },
          {
            "name": "FEDORA-2019-0b16cbdd0e",
            "tags": [
              "vendor-advisory",
              "x_refsource_FEDORA",
              "x_transferred"
            ],
            "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UEMOYTMCCFWK5NOXSXEIH5D2VGWVXR67/"
          },
          {
            "name": "FEDORA-2019-9538783033",
            "tags": [
              "vendor-advisory",
              "x_refsource_FEDORA",
              "x_transferred"
            ],
            "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MTM74TU2BSLT5B3H4F3UDW53672NVLMC/"
          },
          {
            "name": "[debian-lts-announce] 20191210 [SECURITY] [DLA 2028-1] squid3 security update",
            "tags": [
              "mailing-list",
              "x_refsource_MLIST",
              "x_transferred"
            ],
            "url": "https://lists.debian.org/debian-lts-announce/2019/12/msg00011.html"
          },
          {
            "name": "DSA-4682",
            "tags": [
              "vendor-advisory",
              "x_refsource_DEBIAN",
              "x_transferred"
            ],
            "url": "https://www.debian.org/security/2020/dsa-4682"
          },
          {
            "name": "[debian-lts-announce] 20200710 [SECURITY] [DLA 2278-1] squid3 security update",
            "tags": [
              "mailing-list",
              "x_refsource_MLIST",
              "x_transferred"
            ],
            "url": "https://lists.debian.org/debian-lts-announce/2020/07/msg00009.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "n/a",
          "vendor": "n/a",
          "versions": [
            {
              "status": "affected",
              "version": "n/a"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "An issue was discovered in Squid 3.x and 4.x through 4.8 when the append_domain setting is used (because the appended characters do not properly interact with hostname length restrictions). Due to incorrect message processing, it can inappropriately redirect traffic to origins it should not be delivered to."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "n/a",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2020-07-10T23:06:16",
        "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
        "shortName": "mitre"
      },
      "references": [
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/squid-cache/squid/pull/427"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://bugzilla.suse.com/show_bug.cgi?id=1156328"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "http://www.squid-cache.org/Advisories/SQUID-2019_9.txt"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "http://www.squid-cache.org/Versions/v4/changesets/squid-4-36492033ea4097821a4f7ff3ddcb971fbd1e8ba0.patch"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "http://www.squid-cache.org/Versions/v3/3.5/changesets/squid-3.5-e5f1813a674848dde570f7920873e1071f96e0b4.patch"
        },
        {
          "name": "USN-4213-1",
          "tags": [
            "vendor-advisory",
            "x_refsource_UBUNTU"
          ],
          "url": "https://usn.ubuntu.com/4213-1/"
        },
        {
          "name": "FEDORA-2019-0b16cbdd0e",
          "tags": [
            "vendor-advisory",
            "x_refsource_FEDORA"
          ],
          "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UEMOYTMCCFWK5NOXSXEIH5D2VGWVXR67/"
        },
        {
          "name": "FEDORA-2019-9538783033",
          "tags": [
            "vendor-advisory",
            "x_refsource_FEDORA"
          ],
          "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MTM74TU2BSLT5B3H4F3UDW53672NVLMC/"
        },
        {
          "name": "[debian-lts-announce] 20191210 [SECURITY] [DLA 2028-1] squid3 security update",
          "tags": [
            "mailing-list",
            "x_refsource_MLIST"
          ],
          "url": "https://lists.debian.org/debian-lts-announce/2019/12/msg00011.html"
        },
        {
          "name": "DSA-4682",
          "tags": [
            "vendor-advisory",
            "x_refsource_DEBIAN"
          ],
          "url": "https://www.debian.org/security/2020/dsa-4682"
        },
        {
          "name": "[debian-lts-announce] 20200710 [SECURITY] [DLA 2278-1] squid3 security update",
          "tags": [
            "mailing-list",
            "x_refsource_MLIST"
          ],
          "url": "https://lists.debian.org/debian-lts-announce/2020/07/msg00009.html"
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "cve@mitre.org",
          "ID": "CVE-2019-18677",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "n/a",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "n/a"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "n/a"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "An issue was discovered in Squid 3.x and 4.x through 4.8 when the append_domain setting is used (because the appended characters do not properly interact with hostname length restrictions). Due to incorrect message processing, it can inappropriately redirect traffic to origins it should not be delivered to."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "n/a"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://github.com/squid-cache/squid/pull/427",
              "refsource": "MISC",
              "url": "https://github.com/squid-cache/squid/pull/427"
            },
            {
              "name": "https://bugzilla.suse.com/show_bug.cgi?id=1156328",
              "refsource": "CONFIRM",
              "url": "https://bugzilla.suse.com/show_bug.cgi?id=1156328"
            },
            {
              "name": "http://www.squid-cache.org/Advisories/SQUID-2019_9.txt",
              "refsource": "CONFIRM",
              "url": "http://www.squid-cache.org/Advisories/SQUID-2019_9.txt"
            },
            {
              "name": "http://www.squid-cache.org/Versions/v4/changesets/squid-4-36492033ea4097821a4f7ff3ddcb971fbd1e8ba0.patch",
              "refsource": "CONFIRM",
              "url": "http://www.squid-cache.org/Versions/v4/changesets/squid-4-36492033ea4097821a4f7ff3ddcb971fbd1e8ba0.patch"
            },
            {
              "name": "http://www.squid-cache.org/Versions/v3/3.5/changesets/squid-3.5-e5f1813a674848dde570f7920873e1071f96e0b4.patch",
              "refsource": "CONFIRM",
              "url": "http://www.squid-cache.org/Versions/v3/3.5/changesets/squid-3.5-e5f1813a674848dde570f7920873e1071f96e0b4.patch"
            },
            {
              "name": "USN-4213-1",
              "refsource": "UBUNTU",
              "url": "https://usn.ubuntu.com/4213-1/"
            },
            {
              "name": "FEDORA-2019-0b16cbdd0e",
              "refsource": "FEDORA",
              "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UEMOYTMCCFWK5NOXSXEIH5D2VGWVXR67/"
            },
            {
              "name": "FEDORA-2019-9538783033",
              "refsource": "FEDORA",
              "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/MTM74TU2BSLT5B3H4F3UDW53672NVLMC/"
            },
            {
              "name": "[debian-lts-announce] 20191210 [SECURITY] [DLA 2028-1] squid3 security update",
              "refsource": "MLIST",
              "url": "https://lists.debian.org/debian-lts-announce/2019/12/msg00011.html"
            },
            {
              "name": "DSA-4682",
              "refsource": "DEBIAN",
              "url": "https://www.debian.org/security/2020/dsa-4682"
            },
            {
              "name": "[debian-lts-announce] 20200710 [SECURITY] [DLA 2278-1] squid3 security update",
              "refsource": "MLIST",
              "url": "https://lists.debian.org/debian-lts-announce/2020/07/msg00009.html"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
    "assignerShortName": "mitre",
    "cveId": "CVE-2019-18677",
    "datePublished": "2019-11-26T16:21:59",
    "dateReserved": "2019-11-04T00:00:00",
    "dateUpdated": "2024-08-05T01:54:14.540Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2019-18677\",\"sourceIdentifier\":\"cve@mitre.org\",\"published\":\"2019-11-26T17:15:12.923\",\"lastModified\":\"2023-11-07T03:06:53.810\",\"vulnStatus\":\"Modified\",\"descriptions\":[{\"lang\":\"en\",\"value\":\"An issue was discovered in Squid 3.x and 4.x through 4.8 when the append_domain setting is used (because the appended characters do not properly interact with hostname length restrictions). Due to incorrect message processing, it can inappropriately redirect traffic to origins it should not be delivered to.\"},{\"lang\":\"es\",\"value\":\"Se descubri\u00f3 un problema en Squid versiones 2.x, 3.x y versiones 4.x hasta 4.8 cuando la configuraci\u00f3n append_domain es usada (porque los caracteres a\u00f1adidos no interact\u00faan apropiadamente con las restricciones de longitud del nombre de host). Debido a un procesamiento incorrecto del mensaje, puede redireccionar inapropiadamente el tr\u00e1fico a los or\u00edgenes a los que no debe ser enviado.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"REQUIRED\",\"scope\":\"CHANGED\",\"confidentialityImpact\":\"LOW\",\"integrityImpact\":\"LOW\",\"availabilityImpact\":\"NONE\",\"baseScore\":6.1,\"baseSeverity\":\"MEDIUM\"},\"exploitabilityScore\":2.8,\"impactScore\":2.7}],\"cvssMetricV2\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"2.0\",\"vectorString\":\"AV:N/AC:M/Au:N/C:P/I:P/A:N\",\"accessVector\":\"NETWORK\",\"accessComplexity\":\"MEDIUM\",\"authentication\":\"NONE\",\"confidentialityImpact\":\"PARTIAL\",\"integrityImpact\":\"PARTIAL\",\"availabilityImpact\":\"NONE\",\"baseScore\":5.8},\"baseSeverity\":\"MEDIUM\",\"exploitabilityScore\":8.6,\"impactScore\":4.9,\"acInsufInfo\":false,\"obtainAllPrivilege\":false,\"obtainUserPrivilege\":false,\"obtainOtherPrivilege\":false,\"userInteractionRequired\":true}]},\"weaknesses\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-352\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:squid-cache:squid:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"2.0\",\"versionEndIncluding\":\"2.7\",\"matchCriteriaId\":\"466DF174-7C87-4D0E-B10D-F3F88014D9F5\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:squid-cache:squid:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"3.0\",\"versionEndIncluding\":\"3.5.28\",\"matchCriteriaId\":\"FC9F2659-B37B-4E7B-AE40-B91BF3CE4E88\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:squid-cache:squid:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"4.0\",\"versionEndIncluding\":\"4.8\",\"matchCriteriaId\":\"A278895E-7005-4F4B-8649-A013F60E33D4\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:squid-cache:squid:2.7:stable2:*:*:*:*:*:*\",\"matchCriteriaId\":\"EFBB466C-C679-4B4B-87C2-E7853E5B3F04\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:squid-cache:squid:2.7:stable3:*:*:*:*:*:*\",\"matchCriteriaId\":\"A03692DD-779F-4E3C-861C-29943870A816\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:squid-cache:squid:2.7:stable4:*:*:*:*:*:*\",\"matchCriteriaId\":\"79FF6B3C-A3CE-4AA2-80F9-44D05A6B2F08\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:squid-cache:squid:2.7:stable5:*:*:*:*:*:*\",\"matchCriteriaId\":\"3CF6E367-D33B-4B60-8C40-4618C47D53E8\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:squid-cache:squid:2.7:stable6:*:*:*:*:*:*\",\"matchCriteriaId\":\"0FA1F4FE-629C-4489-A13C-017A824C840F\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:squid-cache:squid:2.7:stable7:*:*:*:*:*:*\",\"matchCriteriaId\":\"2479C5BF-94E1-4153-9FA3-333BC00F01D6\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:squid-cache:squid:2.7:stable8:*:*:*:*:*:*\",\"matchCriteriaId\":\"8ABFCCCC-7584-466E-97CC-6EBD3934A70E\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:squid-cache:squid:2.7:stable9:*:*:*:*:*:*\",\"matchCriteriaId\":\"F17E49BF-FB11-4EE6-B6AC-30914F381B2F\"}]}]},{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:canonical:ubuntu_linux:16.04:*:*:*:lts:*:*:*\",\"matchCriteriaId\":\"F7016A2A-8365-4F1A-89A2-7A19F2BCAE5B\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:canonical:ubuntu_linux:18.04:*:*:*:lts:*:*:*\",\"matchCriteriaId\":\"23A7C53F-B80F-4E6A-AFA9-58EEA84BE11D\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:canonical:ubuntu_linux:19.04:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"CD783B0C-9246-47D9-A937-6144FE8BFF0F\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:canonical:ubuntu_linux:19.10:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"A31C8344-3E02-4EB8-8BD8-4C84B7959624\"}]}]},{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:fedoraproject:fedora:30:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"97A4B8DF-58DA-4AB6-A1F9-331B36409BA3\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:fedoraproject:fedora:31:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"80F0FA5D-8D3B-4C0E-81E2-87998286AF33\"}]}]}],\"references\":[{\"url\":\"http://www.squid-cache.org/Advisories/SQUID-2019_9.txt\",\"source\":\"cve@mitre.org\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"http://www.squid-cache.org/Versions/v3/3.5/changesets/squid-3.5-e5f1813a674848dde570f7920873e1071f96e0b4.patch\",\"source\":\"cve@mitre.org\",\"tags\":[\"Release Notes\"]},{\"url\":\"http://www.squid-cache.org/Versions/v4/changesets/squid-4-36492033ea4097821a4f7ff3ddcb971fbd1e8ba0.patch\",\"source\":\"cve@mitre.org\",\"tags\":[\"Release Notes\"]},{\"url\":\"https://bugzilla.suse.com/show_bug.cgi?id=1156328\",\"source\":\"cve@mitre.org\",\"tags\":[\"Issue Tracking\",\"Third Party Advisory\"]},{\"url\":\"https://github.com/squid-cache/squid/pull/427\",\"source\":\"cve@mitre.org\",\"tags\":[\"Patch\",\"Third Party Advisory\"]},{\"url\":\"https://lists.debian.org/debian-lts-announce/2019/12/msg00011.html\",\"source\":\"cve@mitre.org\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://lists.debian.org/debian-lts-announce/2020/07/msg00009.html\",\"source\":\"cve@mitre.org\"},{\"url\":\"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MTM74TU2BSLT5B3H4F3UDW53672NVLMC/\",\"source\":\"cve@mitre.org\"},{\"url\":\"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UEMOYTMCCFWK5NOXSXEIH5D2VGWVXR67/\",\"source\":\"cve@mitre.org\"},{\"url\":\"https://usn.ubuntu.com/4213-1/\",\"source\":\"cve@mitre.org\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://www.debian.org/security/2020/dsa-4682\",\"source\":\"cve@mitre.org\"}]}}"
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.