CVE-2019-18677

An issue was discovered in Squid 3.x and 4.x through 4.8 when the append_domain setting is used (because the appended characters do not properly interact with hostname length restrictions). Due to incorrect message processing, it can inappropriately redirect traffic to origins it should not be delivered to.

Published: Nov 26, 2019
Updated: Apr 13, 2023
CVE: CVE-2019-18677
Severity: Medium
Exploit:

CVSS v3:

Severity: Medium
Score: 6.1
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

CVSS v2:

Severity: Medium
Score: 5.8
AV:N/AC:M/Au:N/C:P/I:P/A:N

CWEs:

CWE-352

Affected Software
References

Software	From	Fixed in
squid-cache / squid	2.7-stable3	2.7-stable3.x
squid-cache / squid	2.7-stable4	2.7-stable4.x
squid-cache / squid	2.0	2.7.x
squid-cache / squid	3.0	3.5.28.x
squid-cache / squid	4.0	4.8.x
squid-cache / squid	2.7-stable2	2.7-stable2.x
squid-cache / squid	2.7-stable5	2.7-stable5.x
squid-cache / squid	2.7-stable6	2.7-stable6.x
squid-cache / squid	2.7-stable7	2.7-stable7.x
squid-cache / squid	2.7-stable8	2.7-stable8.x
squid-cache / squid	2.7-stable9	2.7-stable9.x
canonical / ubuntu_linux	16.04	16.04.x
canonical / ubuntu_linux	18.04	18.04.x
canonical / ubuntu_linux	19.04	19.04.x
canonical / ubuntu_linux	19.10	19.10.x
fedoraproject / fedora	30	30.x
fedoraproject / fedora	31	31.x

Vulnerability Database

289,599

CVE-2019-18677