Your submission was sent successfully! Close

CVE-2020-15049

Published: 30 June 2020

An issue was discovered in http/ContentLengthInterpreter.cc in Squid before 4.12 and 5.x before 5.0.3. A Request Smuggling and Poisoning attack can succeed against the HTTP cache. The client sends an HTTP request with a Content-Length header containing "+\ "-" or an uncommon shell whitespace character prefix to the length field-value.

Priority

Low

CVSS 3 base score: 8.8

Status

Package Release Status
squid
Launchpad, Ubuntu, Debian
bionic Does not exist

eoan Ignored
(reached end-of-life)
focal
Released (4.10-1ubuntu1.3)
groovy
Released (4.12-1ubuntu1)
hirsute
Released (4.12-1ubuntu1)
precise Does not exist

trusty Does not exist

upstream
Released (4.12)
xenial Does not exist

squid3
Launchpad, Ubuntu, Debian
bionic
Released (3.5.27-1ubuntu1.9)
eoan Does not exist

focal Does not exist

groovy Does not exist

hirsute Does not exist

precise Ignored
(end of ESM support, was needed)
trusty Does not exist

upstream Needs triage

xenial
Released (3.5.12-1ubuntu7.15)