CVE-2022-41317

An issue was discovered in Squid 4.9 through 4.17 and 5.0.6 through 5.6. Due to inconsistent handling of internal URIs, there can be Exposure of Sensitive Information about clients using the proxy via an HTTPS request to an internal cache manager URL. This is fixed in 5.7.

CVSS v3 6.5 MEDIUM

6.5^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 2.8 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
http://www.squid-cache.org/Versions/v4/changesets/SQUID-2022_1.patch	Patch Vendor Advisory
http://www.squid-cache.org/Versions/v5/changesets/SQUID-2022_1.patch	Patch Vendor Advisory
https://github.com/squid-cache/squid/security/advisories/GHSA-rcg9-7fqm-83mq	Mitigation Patch Third Party Advisory
https://www.openwall.com/lists/oss-security/2022/09/23/1	Mailing List Mitigation Patch Third Party Advisory

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:squid-cache:squid::::::::
	cpe:2.3:a:squid-cache:squid::::::::

History

08 Aug 2023, 14:22

Type	Values Removed	Values Added
CWE	~~CWE-668~~	CWE-697

Information

Published : 2022-12-25 19:15

Updated : 2024-02-28 19:51

NVD link : CVE-2022-41317

Mitre link : CVE-2022-41317

CVE.ORG link : CVE-2022-41317

JSON object : View

Products Affected

squid-cache

squid

CWE

CWE-697

Incorrect Comparison

{"id": "CVE-2022-41317", "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 3.6, "exploitabilityScore": 2.8}]}, "published": "2022-12-25T19:15:10.767", "references": [{"url": "http://www.squid-cache.org/Versions/v4/changesets/SQUID-2022_1.patch", "tags": ["Patch", "Vendor Advisory"], "source": "cve@mitre.org"}, {"url": "http://www.squid-cache.org/Versions/v5/changesets/SQUID-2022_1.patch", "tags": ["Patch", "Vendor Advisory"], "source": "cve@mitre.org"}, {"url": "https://github.com/squid-cache/squid/security/advisories/GHSA-rcg9-7fqm-83mq", "tags": ["Mitigation", "Patch", "Third Party Advisory"], "source": "cve@mitre.org"}, {"url": "https://www.openwall.com/lists/oss-security/2022/09/23/1", "tags": ["Mailing List", "Mitigation", "Patch", "Third Party Advisory"], "source": "cve@mitre.org"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-697"}]}], "descriptions": [{"lang": "en", "value": "An issue was discovered in Squid 4.9 through 4.17 and 5.0.6 through 5.6. Due to inconsistent handling of internal URIs, there can be Exposure of Sensitive Information about clients using the proxy via an HTTPS request to an internal cache manager URL. This is fixed in 5.7."}, {"lang": "es", "value": "Se descubri\u00f3 un problema en Squid 4.9 a 4.17 y 5.0.6 a 5.6. Debido al manejo inconsistente de los URI internos, puede haber exposici\u00f3n de informaci\u00f3n confidencial sobre los clientes que usan el proxy a trav\u00e9s de una solicitud HTTPS a una URL del administrador de cach\u00e9 interno. Esto se solucion\u00f3 en 5.7."}], "lastModified": "2023-08-08T14:22:24.967", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:squid-cache:squid:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "12D3C02F-A954-4850-BF8E-B1C57531AD1E", "versionEndIncluding": "4.17", "versionStartIncluding": "4.9"}, {"criteria": "cpe:2.3:a:squid-cache:squid:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "0AA329B0-3111-4416-A9F0-32ED782323ED", "versionEndExcluding": "5.7", "versionStartIncluding": "5.0.6"}], "operator": "OR"}]}], "sourceIdentifier": "cve@mitre.org"}