CVE-2019-18677
Public on 2019-11-26
Modified on 2024-03-08
Description
An issue was discovered in Squid 3.x and 4.x through 4.8 when the append_domain setting is used (because the appended characters do not properly interact with hostname length restrictions). Due to incorrect message processing, it can inappropriately redirect traffic to origins it should not be delivered to.
Severity
Medium
CVSS v3 Base Score
See breakdown
Affected Packages
| Platform | Package | Release Date | Advisory | Status |
|---|---|---|---|---|
| Amazon Linux 1 | squid | Pending Fix | ||
| Amazon Linux 2 - Squid4 Extra | squid | Pending Fix | ||
| Amazon Linux 2 - Core | squid | 2023-10-25 | ALAS2-2023-2318 | Fixed |
CVSS Scores
| Score Type | Score | Vector | |
|---|---|---|---|
| Amazon Linux | CVSSv3 | 6.1 | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N |
| NVD | CVSSv2 | 5.8 | AV:N/AC:M/Au:N/C:P/I:P/A:N |
| NVD | CVSSv3 | 6.1 | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N |