Home > Vulnerability Database > CVE-2020-15810

Mend.io Vulnerability Database

CVE-2020-15810

Date: September 2, 2020

An issue was discovered in Squid before 4.13 and 5.x before 5.0.4. Due to incorrect data validation, HTTP Request Smuggling attacks may succeed against HTTP and HTTPS traffic. This leads to cache poisoning. This allows any client, including browser scripts, to bypass local security and poison the proxy cache and any downstream caches with content from an arbitrary source. When configured for relaxed header parsing (the default), Squid relays headers containing whitespace characters to upstream servers. When this occurs as a prefix to a Content-Length header, the frame length specified will be ignored by Squid (allowing for a conflicting length to be used from another Content-Length header) but relayed upstream.

Language: C++

Severity Score

6.5

Related Resources (22)

Url: https://usn.ubuntu.com/4551-1/

Url: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/BE6FKUN7IGTIR2MEEMWYDT7N5EJJLZI2/

Url: https://people.canonical.com/~ubuntu-security/cve/CVE-2020-15810

Url: https://security.alpinelinux.org/vuln/CVE-2020-15810

Url: http://lists.opensuse.org/opensuse-security-announce/2020-09/msg00017.html

Url: https://nvd.nist.gov/vuln/detail/CVE-2020-15810

Url: https://www.debian.org/security/2020/dsa-4751

Url: https://security.netapp.com/advisory/ntap-20210219-0007/

Url: https://security-tracker.debian.org/tracker/CVE-2020-15810

Url: https://lists.debian.org/debian-lts-announce/2020/10/msg00005.html

Url: https://usn.ubuntu.com/4477-1/

Url: https://github.com/squid-cache/squid/security/advisories/GHSA-3365-q9qx-f98m

Url: https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BMTFLVB7GLRF2CKGFPZ4G4R5DIIPHWI3/

Url: http://lists.opensuse.org/opensuse-security-announce/2020-09/msg00012.html

Url: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/HJJDI7JQFGQLVNCKMVY64LAFMKERAOK7/

Url: https://access.redhat.com/security/cve/CVE-2020-15810

Url: https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BE6FKUN7IGTIR2MEEMWYDT7N5EJJLZI2/

Url: https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HJJDI7JQFGQLVNCKMVY64LAFMKERAOK7/

Url: https://security.netapp.com/advisory/ntap-20210226-0007/

Url: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/BMTFLVB7GLRF2CKGFPZ4G4R5DIIPHWI3/

Url: https://security.netapp.com/advisory/ntap-20210226-0006/

Url: https://www.mend.io/vulnerability-database/CVE-2020-15810

Severity Score

6.5

Weakness Type (CWE)

Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')

CWE-444

CVSS v3.1

Base Score:	6.5
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	LOW
Privileges Required (PR):	LOW
User Interaction (UI):	NONE
Scope (S):	UNCHANGED
Confidentiality (C):	NONE
Integrity (I):	HIGH
Availability (A):	NONE

CVSS v2

Base Score:	3.5
Access Vector (AV):	NETWORK
Access Complexity (AC):	MEDIUM
Authentication (AU):	SINGLE
Confidentiality (C):	NONE
Integrity (I):	PARTIAL
Availability (A):	NONE
Additional information:

Mend.io Vulnerability Database

We found results for “”

CVE-2020-15810

Date: September 2, 2020

Language: C++

Severity Score

Related Resources (22)

Severity Score

Weakness Type (CWE)

CVSS v3.1

CVSS v2

Do you need more information?