Detections
Analytics
Squid 3.5.x < 3.5.23 / 4.0.x < 4.0.17 Multiple Information Disclosure
low Nessus Network Monitor Plugin ID 9858
Synopsis
The remote proxy server is affected by multiple information disclosure attack vectors.Description
Versions of Squid 4.0.x prior to 4.0.17, and 3.5.x prior to 3.5.18 are affected by multiple vulnerabilities :- A flaw exists in the collapsed forwarding functionality in 'client_side_reply.cc' that is triggered as request headers are not properly compared, which can cause the program to deliver responses containing private data to clients it should not have reached. This may allow a remote attacker to gain access to potentially sensitive information from other sessions.
- A flaw exists in 'client_side_reply.cc' that is triggered during the handling of HTTP conditional requests. This may allow a remote attacker to gain access to potentially sensitive information from other sessions.
Solution
Upgrade to Squid version 4.0.17 or later. If 4.0.x versions cannot be obtained, version 3.5.23 is also patched for these vulnerabilities.See Also
http://www.squid-cache.org/Advisories/SQUID-2016_11.txt
http://www.squid-cache.org/Versions/v3/3.5/changesets/SQUID-2016_10_a.patch
http://www.squid-cache.org/Versions/v3/3.5/changesets/squid-3.5-14127.patch
http://www.squid-cache.org/Versions/v4/changesets/squid-4-14956.patch
Plugin Details
Severity: Low
ID: 9858
Family: Web Servers
Published: 1/9/2017
Updated: 3/6/2019
Risk Information
VPR
Risk Factor: Low
Score: 3.6
CVSS v2
Risk Factor: Medium
Base Score: 4.3
Temporal Score: 3.7
Vector: CVSS2#AV:N/AC:M/Au:N/C:P/I:N/A:N
CVSS v3
Risk Factor: Low
Base Score: 3.7
Temporal Score: 3.6
Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N
Temporal Vector: CVSS:3.0/E:X/RL:O/RC:C
Vulnerability Information
CPE: cpe:/a:squid-cache:squid
Patch Publication Date: 12/16/2016
Vulnerability Publication Date: 12/16/2016
Reference Information
CVE: CVE-2016-10002, CVE-2016-10003