Your submission was sent successfully! Close

CVE-2020-15049

Published: 30 June 2020

An issue was discovered in http/ContentLengthInterpreter.cc in Squid before 4.12 and 5.x before 5.0.3. A Request Smuggling and Poisoning attack can succeed against the HTTP cache. The client sends an HTTP request with a Content-Length header containing "+\ "-" or an uncommon shell whitespace character prefix to the length field-value.

Priority

Low

CVSS 3 base score: 8.8

Status

Package Release Status
squid
Launchpad, Ubuntu, Debian
Upstream
Released (4.12)
Ubuntu 21.04 (Hirsute Hippo)
Released (4.12-1ubuntu1)
Ubuntu 20.04 LTS (Focal Fossa)
Released (4.10-1ubuntu1.3)
Ubuntu 18.04 LTS (Bionic Beaver) Does not exist

Ubuntu 16.04 ESM (Xenial Xerus) Does not exist

Ubuntu 14.04 ESM (Trusty Tahr) Does not exist

Patches:
Upstream: http://www.squid-cache.org/Versions/v4/changesets/squid-4-ea12a34d338b962707d5078d6d1fc7c6eb119a22.patch
squid3
Launchpad, Ubuntu, Debian
Upstream Needs triage

Ubuntu 21.04 (Hirsute Hippo) Does not exist

Ubuntu 20.04 LTS (Focal Fossa) Does not exist

Ubuntu 18.04 LTS (Bionic Beaver)
Released (3.5.27-1ubuntu1.9)
Ubuntu 16.04 ESM (Xenial Xerus)
Released (3.5.12-1ubuntu7.15)
Ubuntu 14.04 ESM (Trusty Tahr) Does not exist