Home > Vulnerability Database > CVE-2020-15811

Mend.io Vulnerability Database

CVE-2020-15811

Good to know:

Date: September 2, 2020

An issue was discovered in Squid before 4.13 and 5.x before 5.0.4. Due to incorrect data validation, HTTP Request Splitting attacks may succeed against HTTP and HTTPS traffic. This leads to cache poisoning. This allows any client, including browser scripts, to bypass local security and poison the browser cache and any downstream caches with content from an arbitrary source. Squid uses a string search instead of parsing the Transfer-Encoding header to find chunked encoding. This allows an attacker to hide a second request inside Transfer-Encoding: it is interpreted by Squid as chunked and split out into a second request delivered upstream. Squid will then deliver two distinct responses to the client, corrupting any downstream caches.

Language: C++

Severity Score

6.5

Related Resources (22)

Url: https://usn.ubuntu.com/4551-1/

Url: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/BE6FKUN7IGTIR2MEEMWYDT7N5EJJLZI2/

Url: http://lists.opensuse.org/opensuse-security-announce/2020-09/msg00017.html

Url: https://security.alpinelinux.org/vuln/CVE-2020-15811

Url: https://people.canonical.com/~ubuntu-security/cve/CVE-2020-15811

Url: https://www.debian.org/security/2020/dsa-4751

Url: https://security.netapp.com/advisory/ntap-20210219-0007/

Url: https://security-tracker.debian.org/tracker/CVE-2020-15811

Url: https://github.com/squid-cache/squid/security/advisories/GHSA-c7p8-xqhm-49wv

Url: https://lists.debian.org/debian-lts-announce/2020/10/msg00005.html

Url: https://usn.ubuntu.com/4477-1/

Url: https://access.redhat.com/security/cve/CVE-2020-15811

Url: https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BMTFLVB7GLRF2CKGFPZ4G4R5DIIPHWI3/

Url: http://lists.opensuse.org/opensuse-security-announce/2020-09/msg00012.html

Url: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/HJJDI7JQFGQLVNCKMVY64LAFMKERAOK7/

Url: https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BE6FKUN7IGTIR2MEEMWYDT7N5EJJLZI2/

Url: https://nvd.nist.gov/vuln/detail/CVE-2020-15811

Url: https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HJJDI7JQFGQLVNCKMVY64LAFMKERAOK7/

Url: https://security.netapp.com/advisory/ntap-20210226-0007/

Url: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/BMTFLVB7GLRF2CKGFPZ4G4R5DIIPHWI3/

Url: https://security.netapp.com/advisory/ntap-20210226-0006/

Url: https://www.mend.io/vulnerability-database/CVE-2020-15811

Severity Score

6.5

Weakness Type (CWE)

Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling')

CWE-444

Incorrect Comparison

CWE-697

Top Fix

Upgrade Version

Upgrade to version 4.13, 5.0.4

Learn More

CVSS v3.1

Base Score:	6.5
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	LOW
Privileges Required (PR):	LOW
User Interaction (UI):	NONE
Scope (S):	UNCHANGED
Confidentiality (C):	NONE
Integrity (I):	HIGH
Availability (A):	NONE

CVSS v2

Base Score:	4.0
Access Vector (AV):	NETWORK
Access Complexity (AC):	LOW
Authentication (AU):	SINGLE
Confidentiality (C):	NONE
Integrity (I):	PARTIAL
Availability (A):	NONE
Additional information:

Mend.io Vulnerability Database

We found results for “”

CVE-2020-15811

Good to know:

Date: September 2, 2020

Language: C++

Severity Score

Related Resources (22)

Severity Score

Weakness Type (CWE)

Top Fix

Upgrade Version

CVSS v3.1

CVSS v2

Do you need more information?